Security News

Rise in Tepfer spam campaigns leading to P2P Zeus (Feb 1, 2013)

By

Dell SonicWALL Threats Research team has observed an increase in spam campaigns involving new variants of the Tepfer Infostealer Trojan in the last one week. Tepfer also known as Fareit is known for stealing sensitive information from the victim machine which includes user credentials for various applications and certificates. It is also known to download and install Banking Trojans like Cridex and P2P Zeus on the victim machine. A more detailed analysis on the Tepfer Trojan infection activity can be found in one of our previous SonicAlert.

The Tepfer variants from recent spam campaigns were all found to be installing P2P Zeus Trojan on the victim machine. Dell SonicWALL has received more than 50,000 e-mail copies from these spam campaigns till now. The email messages in all these spam campaigns have a zip archived attachment which contains the new variants of the Tepfer Trojan executable. The sample e-mail format from each spam campaign is shown below:

screenshot

screenshot

The e-mail attachment contains a malicious executable with icons disguised to look like legitimate document files as seen below:

screenshot

Infection Cycle:

Upon execution the Trojan mines the victim machine for user credentials of various FTP and E-mail applications. More details on the application names and other infection activity can be found here.

The Trojan attempts to connect to a predetermined Command & Control server to report infection and upload stolen credentials from the victim machine via a POST request. Below are the C&C servers we saw during the last one week:

  • archiv.social-neos.eu:8080
  • central.si-vision.fr:8080
  • cloud.social-neos.eu:8080
  • eyon-neos.eu:8080
  • quest.social-neos.eu:8080

It also connects to multiple domains to download and install the new variant of P2P Zeus Trojan on the victim machine. Below are the associated domains hosting new P2P Zeus binaries that we captured from these spam campaigns:

  • indonesiascuba.com
  • patentanwalt-baden.de
  • www.dimag-giantpale.it
  • plcontractors.co.uk
  • www.quickbeautyservizio.it

The downloaded Zeus payload is detected as GAV: Zbot.AAU_9 (Trojan).

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kryptik.ATJW (Trojan)
  • GAV: Kryptik.ATCI (Trojan)
  • GAV: Kryptik.ATLY (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
A Deep Dive Into DarkME Rat Malware
Uniwinnicrypt ransomware charges over $550k for file recovery
Fake IRS Notice - New ZBot variant (Oct 09, 2009)
Dtrack RAT targeting a Nuclear Power Plant in India
Cyber Security News & Trends – 01-04-19
One more avatar of Nuclear Exploit Kit (Feb 6th, 2015)
Cybersecurity News & Trends - 10-30-20
Microsoft Windows Privilege escalation vulnerability (CVE-2013-5065) attacks (Dec 4, 2013)