Fake Amazon order - New Zbot variant
SonicWALL UTM Research team discovered a new Zbot spam campaign involving fake order payment e-mail from Amazon. The e-mail informs the user to download the attached file which it claims to be a document containing order tracking number.
The e-mail contains malicious executable file inside the zip attachment that has an icon disguised as a Microsoft Word document. This malware executable is a new variant of Zbot Trojan.
The e-mail message looks like:
The downloaded fake tracking number document looks like:
If the user tries to open this document file, it performs the following activities:
- Connects to a malicious domain hulejsoops.ru which is a Zbot Command & Control (C&C) server and sends following HTTP requests:
- GET /images/bb.php?v=2(REMOVED)m=40
- GET /images/bb.php?v=2(REMOVED)m=41
- Uppon successful connection & authentication to the C&C server it receives following command strings to further download additional malware as well as encrypted configuration file:
- Based on above command strings, it downloads and executes all or some of these files based on the victim machine:
- (SYSTEM)sdra64.exe [Detected as GAV: Wigon.KG (Trojan)]
- (SYSTEM)ustftqmbt.exe [Detected as GAV: Wigon.KG (Trojan)]
- Registry modifications in order to ensure that the malware executes on each system reboot:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: "(SYSTEM)userinit.exe,(System)sdra64.exe,"
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunustftqmbt: "(SYSTEM)ustftqmbt.exe"
- Downloads configuration file konf1.bin from one of the URLs found in the command string received from C&C server.
- Deletes the original copy of the file.
The Trojan has very low AV detection at the time of writing this alert and is also known as Trojan.Win32.VBKrypt.td [Kaspersky] and Mal/Koobface-E [Sophos].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.TD (Trojan) signature.