Websense® Security Labs™ ThreatSeeker™ Network has detected a new batch of malicious emails containing Zeus payloads. This campaign is very similar to another which Adobe reported on a couple weeks ago. The social engineering tricks on this campaign have gotten considerably better. The messages appear to be forwarded from a Director of Information Services who apparently received update instructions directly from an associate at Adobe. The message from the Adobe associate states that the update link is to patch CVE-2010-0193. There are two links in the message that lead to the same IP address hosting a PDF file for instructions and an executable that is meant to be the patch to apply. The executable file named adbp932b.exe (SHA1 0632f562c6c89903b56da235af237dc4b72efeb3) has minimal coverage of about 7%.
Screen shot of malicious email:
The kicker in these messages is actually the update.pdf (SHA1 d408898e33c207eceea6d5b2affdac8ec266f77e) document. What would be expected of a malicious email with a PDF document is that it would contain an exploit of some sort that would attempt to do damage and take over the recipient's computer. This case is much different from that, probably because the attackers are working more of the social engineering angle and counting on the weakest link in the security chain, which would be the end user. The document is actually benign and provides the same link as the email to download the "security patch" and tells you to "Click run in each window that appears". Sharp eyes will actually notice that the IP leading to the malicious application and the IP showing in the screen shot of the document aren't actually the same site. This ploy of a non-malicious PDF document that looks authentic is an attempt to convince recipients that the instructions contained within are authentic.
Screen shot of attached PDF document:
Websense Messaging and Websense Web Security customers are protected against this attack.
The attackers sending these messages have taken their social engineering tactics even further with the executable file linked in the messages. There is a new executable hosted on the attacker's IP address (SHA1 7af53e5924b45ebcb48d8b17e20b66a5979600f3) which seems to behave like a typical installer. There are even setup prompts and a EULA as you move along in the installation but once the installation is complete, a Backdoor is installed on the victim's computer. Because there is such a small amount of messages that we have seen and the fact that this installer is infecting with a Backdoor, we believe this to be another targeted attack.
Screen shots of the installation process:
Read More »