Outlook reconfiguration emails carry malicious URLs

Image (1) outlookspam.jpg for post 23804

At the beginning of the month we have written about a couple of spam campaigns which contained fake notifications urging users to reconfigure Microsoft Outlook applications by following the link embedded in the email message or extracting the attached ZIP file and running the alleged Outlook update.

The previous campaigns must have been successful as we are seeing a new spamming campaign, launched yesterday, which includes a link to a malicious file. Several URLs are used but the file name seems to consistenly be Outlook_update.exe.

Looking at the filename and the changes to the system when the file run in our automated analysis environment I would say this is a new Zbot variant, though in attempt to detect it as soon as possible we classified it yesterday as a generic backdoor Trojan.

Sophos products detect the file as Troj/Bckdr-QVN and all malicious URLs are blocked by Sophos Web Security appliance. The URLs used in this campaign seem to have been taken offline, but we can expect URLs to change as attackers setup additional hosts to serve malicious files.