MX Lab intercepts emails with an embedded URL that leads to a web site where you will have the notice “You don’t have the latest version of Macromedia Flash Player.” and you can download the file flashinstaller.exe. The file itself is malware and listens to the name Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft).
Possible subject are (where * stands for characters of the email address or domain name):
dear owner of ****@*****.com
for ****.com email service user
for ****@****.com email service user
please update your ****@****.com mailbox
The content of the body:
Dear owner of the ****@****.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:
The is the screenshot of such a site:
What we notice is, it’s a bit hilarious and looks like the author has been on Mars for quite some time, is the usage of the company name Macromedia. As we all know by now, Macromedia has been taken over by Adobe and the brand name Macromedia isn’t used anymore.
Anyway, the URL leads to the 124 kB big file named flashinstaller.exe. The malware has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
The system file %System%\sdra64.exe is created, hidden files %System%\lowsec\local.ds, %System%\lowsec\user.ds and a hidden directory %System%\lowsec is created.
New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe and %ProgramFiles%\internet explorer\iexplore.exe in combination with Window registry edits.
Connection with a remote host at 126.96.36.199 on port 80 is established and the following URLs are requested:
Virus Total permlink and MD5: f6a5c4ceed2c45268b083488faecb10a.