Notorious Zbot Banking Trojan Ramping Up To Flood Inboxes With Malware
Malware hackers are commencing new efforts to infect computer users with the notorious Zbot (or Zeus) banking Trojan again which means we could be facing an epidemic of online banking theft.
We have noticed that the spam campaigning hackers are busy attempting to inform users through email that their email accounts have been deactivated and instructs them to run a file which is, as you may have already guessed, an infected attachment that installs malware on the user's computer.
Malicious emails containing the subject line "your mailbox has been deactivated" which claims that the user will be contacted in regard to unusual activity identified on their mailbox. The messages read:
"As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility."
The corrupt emails are fabricated to appear as arriving from the email address "notifications@[address].com" with the same domain as the user's account. Therefore, if your email address is email@example.com, the spam mail will have it's from field spoofed to be firstname.lastname@example.org. This is a clever way that hackers are able to spoof your ISP or a "trusted" source so users are more apt to open and download the malicious attachment.
The file attached to the spam email is called "utility.zip" and will contain an executable malware virus identified as Mal/EncPk-LP. This malware parasite will deploy other trojan downloaders from different hosts, which eventually end up installing a malicious Trojan horse called TrojWare.Win32.TrojanSpy.Zbot.Gen (Trojan-Spy.Win32.Zbot.gen).
The Zbot Trojan, also known as Zeus, is a family of sophisticated Trojan stealers which are programmed to hijack online banking credentials and deviously transfer money to accounts controlled by hackers. Email spam is quickly becoming the preferred method of distribution for Trojans as of late. UK Vodafone, Verizon mobile customers and Facebook users have recently been targets of this specific type of attack. Users of such services should be aware and use caution when opening messages that contain attachments or embedded links.