Security Experts:

Zeus Banking Trojan Distributed via MSG Attachments

A recently spotted spam campaign was using Message (.MSG) file attachments to infect users with the infamous Zbot banking Trojan, Trustwave security researchers say.

Used for storing Microsoft Outlook and Exchange message files, the .MSG file format isn’t popular among cybercriminals, but incidents where it has been abused for nefarious purposes have been reported before. Now, the file format is used to spread the Zbot Trojan (better known as Zeus or ZeuS), which steals user’s banking credentials.

The spam run contained alleged Tax Notification emails coming from Canada Revenue Agency, which had the aforementioned MSG file attached. Instead of delivering what it supposedly should have (this was said to be a “statement file”), the attachment was built with malicious purposes in mind.

What Trustwave researchers focused on was the extraction of the malicious object from the .MSG file without using Outlook, and they started by confirming that the file was an OLE (Object Linking and Embedding) compound file – used for storing MS Office documents. After that, the researchers extracted the OLE containers with 7zip, by renaming the file to .zip.

Within the extracted streams, researchers found three folders named “__attach_version,” the first two of which contained an image of a spoofed PDF file. The third folder, however, contained another layer of OLE File, compressed, with yet another layer of OLE File inside it, with yet another layer of compressed data, which finally revealed heavily obfuscated JavaScript code.

When run, the JavaScript would download a malicious executable from the domain “tradestlo[.]top,” which researchers say was a Trojan downloader called Terdot. The malware was designed to inject its code into the Windows Explorer (explorer.exe) process and to download a second malicious payload, which was the banking Trojan Zbot.

After installation, the Zbot Trojan connects to two domains (aspect[.]top and prispectos[.]top) and downloads its configuration file. Already a well-known threat, the banking Trojan can intercept network traffic and steal system information, online banking credentials and passwords, researchers note.

“We don't often see malicious files embedded in .MSG file attachments. It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect,” Trustwave security researcher Rodel Mendrez says.

To stay protected, users should avoid opening .MSG file attachments that arrive via emails from untrusted sources. Outlook should prompt users with a warning by default, and users are advised to always check whether the received file is trustworthy before opening it.

Related: Malware Abuses Windows Troubleshooting Platform for Distribution

Related: Malware Increasingly Abusing WMI for Evasion

view counter