Outlook reconfiguration emails carry malicious URLs

Filed Under: Malware, SophosLabs, Spam

At the beginning of the month we have written about a couple of spam campaigns which contained fake notifications urging users to reconfigure Microsoft Outlook applications by following the link embedded in the email message or extracting the attached ZIP file and running the alleged Outlook update.

The previous campaigns must have been successful as we are seeing a new spamming campaign, launched yesterday, which includes a link to a malicious file. Several URLs are used but the file name seems to consistenly be Outlook_update.exe.

Looking at the filename and the changes to the system when the file run in our automated analysis environment I would say this is a new Zbot variant, though in attempt to detect it as soon as possible we classified it yesterday as a generic backdoor Trojan.

Sophos products detect the file as Troj/Bckdr-QVN and all malicious URLs are blocked by Sophos Web Security appliance. The URLs used in this campaign seem to have been taken offline, but we can expect URLs to change as attackers setup additional hosts to serve malicious files.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.