MX Lab just interceped a bunch of emails from Western Union claiming that your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service. Sound really scarry at first.
The senders address is spoofed and random, the subject contains “Western Union MTCN #5993705206”. The numbers and even the subject itself can change during the distribution later on.
The content of the email:
Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.
Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 42976 since the recipient has been undergoing the international retrieval by the InterPol.
Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.
(The invoice file is attached to this message; please print it out and hand it to our agent.)
You can find the address of the closest Western Union agent on our website at http://www.westernunion.com
First of all, the senders address and the first paragraph of the email must identify this emails as suspicious and dangerous. Did you send a wire to someone in Russia, lately? The chance is quite small I think.
Furthermore, an invoice in a Zip archive that is an executable. Even if your anti virus engine isn’t up to date yet, it should be clear to anyone that this is a virus. Only one anti virus engine, Sophos, detects the trojan at the moment so be carefull.
And yes, our ZBot trojan is back again as a new variant. It’s a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Some files are created on your system like %System%\oembios.exe (it’s alias is Mal/EncPk-CZ [Sophos]PWS:Win32/Zbot.gen!B [Microsoft]).
The folder %System%\sysproc64 will be created for %System%\sysproc64\sysproc32.sys and %System%\sysproc64\sysproc86.sys. Windows registry is being modified and a connection to an external IP on port 80 is being made to with a GET request bone/no.bin.
Virus Total permalink and MD5: 07b8c31d8519f04103cde011d24c82ec.