New ZBot trojan appears in ‘tax statement’ and ‘account suspended’ emails

MX Lab intercepted emails regarding a tax statement that contains a new ZBot trojan variant. We noticed different variants in the emails.

Internal Revenue Service with the tax statement

The message comes from spoofed addresses that includes Internal Revenue Service.

Different subjects like the ones below are being used:

Notice of Underreported Income
Your Order with Amazon.com

The body of the email:

Taxpayer ID: bipin-00000299097131US

Tax Type: INCOME TAX

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) (Attached please find)

===================================

Internal Revenue Service

Dear taxpayer,

The Federal income tax is a progressive tax, meaning that the more you earn, the higher your tax rate. Your tax rate depends not just upon your taxable income, but also upon your filing status (single, married filing jointly, etc.).

You’re in a higher tax bracket because:
- your annual income for the last tax year has increased.

Please review your annual tax report immediately at:
(Please find attached file – tax report.zip)

The email has the attachment tax statement.zip or tax report.zip and this archive contains the 140 kB large file tax statement.exe or tax report.exe.

Your internet access is going to get suspended

A second format is with the subject “Your internet access is going to get suspended” and the following body of the email:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ISPC Monitoring Team

The trojan is known as Trojan/Win32.Zbot (AhnLab-V3), Suspicious:W32/Malware!Gemini (F-Secure), Mal/Zbot-U (Sophos).

It will create the following files:

%AppData%\Demuy\igin.exe
%AppData%\Kuse\miev.kuu
%Temp%\tmpbe92fc54.bat

The following directories are created:

%AppData%\Demuy
%AppData%\Kuse

A new memory page is created in the address space of the system process:

%System%\cmd.exe

Various Windows registry settings are being modified and new ones will be created. The trojan can establish a connection with the IPs 74.125.65.147, 76.180.242.112 and 77.78.240.115 on port 80.

Connection with the following URLs:

* hxxp://www.google.com/webhp
* hxxp://jocudaidie.ru/9xq/_gate.php
* hxxp://zephehooqu.ru/bin/koethood.bin

The URL hxxp://zephehooqu.ru/bin/koethood.bin will make you download a .bin file named koethood.bin.

At the time of writing this blog post, only 4 AV engines did detect the threat 1 hour after the first submission to Virus Total, so this version is relative new.

Virus Total permlink and MD5: 298a29ce2fe1291e39215fede14ff628.