Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Zeus Banking Trojan Distributed via MSG Attachments

A recently spotted spam campaign was using Message (.MSG) file attachments to infect users with the infamous Zbot banking Trojan, Trustwave security researchers say.

A recently spotted spam campaign was using Message (.MSG) file attachments to infect users with the infamous Zbot banking Trojan, Trustwave security researchers say.

Used for storing Microsoft Outlook and Exchange message files, the .MSG file format isn’t popular among cybercriminals, but incidents where it has been abused for nefarious purposes have been reported before. Now, the file format is used to spread the Zbot Trojan (better known as Zeus or ZeuS), which steals user’s banking credentials.

The spam run contained alleged Tax Notification emails coming from Canada Revenue Agency, which had the aforementioned MSG file attached. Instead of delivering what it supposedly should have (this was said to be a “statement file”), the attachment was built with malicious purposes in mind.

What Trustwave researchers focused on was the extraction of the malicious object from the .MSG file without using Outlook, and they started by confirming that the file was an OLE (Object Linking and Embedding) compound file – used for storing MS Office documents. After that, the researchers extracted the OLE containers with 7zip, by renaming the file to .zip.

Within the extracted streams, researchers found three folders named “__attach_version,” the first two of which contained an image of a spoofed PDF file. The third folder, however, contained another layer of OLE File, compressed, with yet another layer of OLE File inside it, with yet another layer of compressed data, which finally revealed heavily obfuscated JavaScript code.

When run, the JavaScript would download a malicious executable from the domain “tradestlo[.]top,” which researchers say was a Trojan downloader called Terdot. The malware was designed to inject its code into the Windows Explorer (explorer.exe) process and to download a second malicious payload, which was the banking Trojan Zbot.

Advertisement. Scroll to continue reading.

After installation, the Zbot Trojan connects to two domains (aspect[.]top and prispectos[.]top) and downloads its configuration file. Already a well-known threat, the banking Trojan can intercept network traffic and steal system information, online banking credentials and passwords, researchers note.

“We don’t often see malicious files embedded in .MSG file attachments. It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect,” Trustwave security researcher Rodel Mendrez says.

To stay protected, users should avoid opening .MSG file attachments that arrive via emails from untrusted sources. Outlook should prompt users with a warning by default, and users are advised to always check whether the received file is trustworthy before opening it.

Related: Malware Abuses Windows Troubleshooting Platform for Distribution

Related: Malware Increasingly Abusing WMI for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.