Zeus Wire Transfer targeted attacks (April 12, 2012)


SonicWALL Threat Research team spotted a wave of Wire Transfer fraud e-mails in the wild starting early morning today. The e-mail notifies the user about a recent wire transaction that was cancelled and asks the user to open the attached HTML file or visit a URL specified in the e-mail body. If the user opens the attached html file or visits the URL inside the e-mail, they will be redirected to a Phoenix Exploit site serving malware.

Below are the sample e-mails we saw from this campaign:

The HTML attachment contains obfuscated JavaScript that connects the user to a remote Phoenix Exploit site, downloads malicious PDF file and upon successful exploit run, it infects the system with a new variant of Zeus P2P Trojan.

Below are some of the domains involved:

  • vanessamiyhome.ru:8080
  • vanishingmasers.ru:8080

While the Phoenix Exploit kit is in action, it displays a fake NACHA page which allows the user to download a report which in reality is the Zeus Trojan:

We also spotted a small number of e-mails which were part of a spear-phishing campaign using the same theme where Corporation’s executive staff were targeted. The e-mail pretends to be from Federal Reserve System’s Fraud department and contains a URL pointing to a malicious site federalreserve(REMOVED).com. A sample e-mail message looks like:

This phishing site redirects the users to a Blackhole Exploit site serving Zeus Trojan. The initial website is hosted on Amazon’s Cloud server and we have notified Amazon’s security team about it. The functionality of the Zeus binary involved in both spam campaign is similar to what we saw in a previous SonicAlert- Zeus P2P variant served via spammed Blackhole exploit links (Mar 2, 2012)

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Blacole.gen_2 (Exploit)
  • GAV: Blacole.WR (Exploit)
  • GAV: Zbot.IVT (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.