Rise in Tepfer spam campaigns leading to P2P Zeus

February 1, 2013

Dell SonicWALL Threats Research team has observed an increase in spam campaigns involving new variants of the Tepfer Infostealer Trojan in the last one week. Tepfer also known as Fareit is known for stealing sensitive information from the victim machine which includes user credentials for various applications and certificates. It is also known to download and install Banking Trojans like Cridex and P2P Zeus on the victim machine. A more detailed analysis on the Tepfer Trojan infection activity can be found in one of our previous SonicAlert.

The Tepfer variants from recent spam campaigns were all found to be installing P2P Zeus Trojan on the victim machine. Dell SonicWALL has received more than 50,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of the Tepfer Trojan executable. The sample e-mail format from each spam campaign is shown below:



The e-mail attachment contains a malicious executable with icons disguised to look like legitimate document files as seen below:


Infection Cycle:

Upon execution the Trojan mines the victim machine for user credentials of various FTP and E-mail applications. More details on the application names and other infection activity can be found here.

The Trojan attempts to connect to a predetermined Command & Control server to report infection and upload stolen credentials from the victim machine via a POST request. Below are the C&C servers we saw during the last one week:

  • archiv.social-neos.eu:8080
  • central.si-vision.fr:8080
  • cloud.social-neos.eu:8080
  • eyon-neos.eu:8080
  • quest.social-neos.eu:8080

It also connects to multiple domains to download and install the new variant of P2P Zeus Trojan on the victim machine. Below are the associated domains hosting new P2P Zeus binaries that we captured from these spam campaigns:

  • indonesiascuba.com
  • patentanwalt-baden.de
  • www.dimag-giantpale.it
  • plcontractors.co.uk
  • www.quickbeautyservizio.it

The downloaded Zeus payload is detected as GAV: Zbot.AAU_9 (Trojan).

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kryptik.ATJW (Trojan)
  • GAV: Kryptik.ATCI (Trojan)
  • GAV: Kryptik.ATLY (Trojan)