Sophos Cloud Optix
We’re currently seeing a limited-volume run of spam messages linking to a zip file containing Zbot/Zeus malware. The messages purport to be from the Department of Homeland Security, the Pentagon, or the Transportation Security Administration.
The subjects of the spam messages we’ve seen so far are:
(U) Transportation Security Administration
FOR OFFICIAL USE ONLY
RE:Al-Qaeda in the Arabian Peninsula (AQAP)
Scientific Advisory Board
Report on Defending and Operating in a Contested Cyber Domain
Nasir al-Wahayshi
The body of the messages contains text about a latest report on Al-Qaeda/Terrorist attacks/Cyber Security/Airport Security. To view the report, each message presents two links pointing to a report.zip file residing on a compromised domain. Each of the zip files contains the file report.exe – a Zbot Trojan, currently detected as Troj/Zbot-RA.
Here are a few selected samples of the messges:
Unlike some of the other Zbot runs we’ve seen, this current run is relatively low volume. Nevertheless, this trickery by the Zbot crew is not new. They’ve tried to spoof other agencies such as the NSA back in February, going as far as coming up with a spam run that “reports” on their own attacks.
Even if you do work for one of these agencies, there should be no reason you would be receiving weblink reports in this fashion. Users should have no trouble avoiding these spam campaigns as long as they remain vigilant, don’t let curiousity to get the better of them, and not to run any unknown executables.