Security News

New social engineering tactics by Bredolab and ZBot (Oct 30, 2009)

By

SonicWALL UTM Research team has observed a new social engineering tactic being used to spam new variants of Bredolab and Zbot Trojan. Facebook password reset spam campaign started on October 26, 2009 and involves a fake e-mail message pretending to arrive from Facebook team informing the user that their Facebook account password has been reset. Users can retrieve their new password from the attached document which is the new variant of Bredolab Trojan.

Myspace password reset spam campaign started on October 29, 2009 and also involves a fake e-mail message pretending to arrive from Myspace team informing the user that their Myspace account password has been reset. Users can retrieve their new password from the attached document which is the new variant of ZBot Trojan.

SonicWALL has received more than 65,000 e-mail copies involving 96 Bredolab variants and 10 Zbot variants from these spam campaigns till now. The e-mail message format looks like this:

Campaign #1 – Facebook Password Reset spam

Attachment: Facebook_Password_99176.zip (contains Facebook_Password_99176.exe)

Subject: Facebook Password Reset Confirmation! Please Attention!

Email Body:
————————
Hey [random name] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.
————————

A sample e-mail message looks like:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

Campaign #2 – Myspace Password Reset spam

Attachment: myspace_94354.zip (contains myspace_94354.exe)

Subject: Myspace Password Reset Confirmation

Email Body:
————————
Hello,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Myspace Team
————————

A sample e-mail message looks like:

screenshot

SonicWALL Gateway AntiVirus provided proactive protection against Facebook spam campaign via GAV: Bredolab.X_3 (Trojan) signature.[16,498,402 hits recorded in last five days] and Myspace spam campaign via GAV: Zbot.VM (Trojan) signature.[4,009,386 hits recorded in last three days].

screenshot

screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage (April 14, 2015)
Antidetect.B malware found with valid digital certificate (Jun 8,2016)
Modular Emotet Variant
Spam campaign roundup: The Thanksgiving Day Edition (Nov 23, 2016)
Instabot ransomware demands $490 in Bitcoin after 50% discount
Exerwa ransomware leaked from CTF hacker event
Cisco Prime Network Analysis Module Directory Traversal Vulnerability
Attackers actively exploiting Apache Struts Vulnerability