A recently spotted spam campaign was using Message (.MSG) file attachments to infect users with the infamous Zbot banking Trojan, Trustwave security researchers say.
Used for storing Microsoft Outlook and Exchange message files, the .MSG file format isn’t popular among cybercriminals, but incidents where it has been abused for nefarious purposes have been reported before. Now, the file format is used to spread the Zbot Trojan (better known as Zeus or ZeuS), which steals user’s banking credentials.
The spam run contained alleged Tax Notification emails coming from Canada Revenue Agency, which had the aforementioned MSG file attached. Instead of delivering what it supposedly should have (this was said to be a “statement file”), the attachment was built with malicious purposes in mind.
What Trustwave researchers focused on was the extraction of the malicious object from the .MSG file without using Outlook, and they started by confirming that the file was an OLE (Object Linking and Embedding) compound file – used for storing MS Office documents. After that, the researchers extracted the OLE containers with 7zip, by renaming the file to .zip.
After installation, the Zbot Trojan connects to two domains (aspect[.]top and prispectos[.]top) and downloads its configuration file. Already a well-known threat, the banking Trojan can intercept network traffic and steal system information, online banking credentials and passwords, researchers note.
To stay protected, users should avoid opening .MSG file attachments that arrive via emails from untrusted sources. Outlook should prompt users with a warning by default, and users are advised to always check whether the received file is trustworthy before opening it.