Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Zeus Banking Trojan Distributed via MSG Attachments

A recently spotted spam campaign was using Message (.MSG) file attachments to infect users with the infamous Zbot banking Trojan, Trustwave security researchers say.

A recently spotted spam campaign was using Message (.MSG) file attachments to infect users with the infamous Zbot banking Trojan, Trustwave security researchers say.

Used for storing Microsoft Outlook and Exchange message files, the .MSG file format isn’t popular among cybercriminals, but incidents where it has been abused for nefarious purposes have been reported before. Now, the file format is used to spread the Zbot Trojan (better known as Zeus or ZeuS), which steals user’s banking credentials.

The spam run contained alleged Tax Notification emails coming from Canada Revenue Agency, which had the aforementioned MSG file attached. Instead of delivering what it supposedly should have (this was said to be a “statement file”), the attachment was built with malicious purposes in mind.

What Trustwave researchers focused on was the extraction of the malicious object from the .MSG file without using Outlook, and they started by confirming that the file was an OLE (Object Linking and Embedding) compound file – used for storing MS Office documents. After that, the researchers extracted the OLE containers with 7zip, by renaming the file to .zip.

Within the extracted streams, researchers found three folders named “__attach_version,” the first two of which contained an image of a spoofed PDF file. The third folder, however, contained another layer of OLE File, compressed, with yet another layer of OLE File inside it, with yet another layer of compressed data, which finally revealed heavily obfuscated JavaScript code.

When run, the JavaScript would download a malicious executable from the domain “tradestlo[.]top,” which researchers say was a Trojan downloader called Terdot. The malware was designed to inject its code into the Windows Explorer (explorer.exe) process and to download a second malicious payload, which was the banking Trojan Zbot.

After installation, the Zbot Trojan connects to two domains (aspect[.]top and prispectos[.]top) and downloads its configuration file. Already a well-known threat, the banking Trojan can intercept network traffic and steal system information, online banking credentials and passwords, researchers note.

“We don’t often see malicious files embedded in .MSG file attachments. It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect,” Trustwave security researcher Rodel Mendrez says.

To stay protected, users should avoid opening .MSG file attachments that arrive via emails from untrusted sources. Outlook should prompt users with a warning by default, and users are advised to always check whether the received file is trustworthy before opening it.

Related: Malware Abuses Windows Troubleshooting Platform for Distribution

Related: Malware Increasingly Abusing WMI for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...