A new spam campaign being driven by the largest spam botnet has been tied to the notorious Zeus Trojan and is believed to be spreading quickly, stealing account credential sand credit card numbers.
Researchers at Dell SecureWorks Counter Threat Unit have discovered the spam messages originating from the Cutwail botnet, attempting to trick victims into downloading the Gameover Zeus banking Trojan.
The spam message is made to look like it comes from many of the top U.S. banks. It reads: “You have received a new encrypted message or a secure message from [XYZ] Bank." The spam message encourages recipients to download an attachment and register for a new system designed to protect privacy and personal information. Instead the attachment contains the Pony downloader, which installs the banking malware.
"The Cutwail botnet only needs to employ approximately 10,000 bots per spam campaign to send out hundreds of millions of malicious spam messages to computer users all over the world," said Elizabeth W. Clarke, a Dell SecureWorks spokesperson.
So far researchers have detected several variants of the spam messages, all encouraging victims to open a file attachment to read a message, listen to a voicemail or register for a new privacy system. Dell SecureWorks said employees should be trained to never click on a link or an attachment in an email, even if they know the sender. "Always verify that the sender sent the email," Clarke said. "Additionally, update your IPS/IDS countermeasures and firewalls to detect the latest threats."
The Zeus Trojan has been a major headache for banks and financial firms, with different variants infecting customer systems attempting to dupe individuals into giving up their account credentials. New variants of Zeus are frequently detected by researchers. The issue has become such a problem that Microsoft took legal action to disrupt some Zeus botnets. But despite a few victories, cybercriminals continue to recover their operations.
Dell SecureWorks said the Gameover Zeus botnet is a peer-to-peer botnet and one of the largest in existence with more than 678,000 infections. Unlike other Zeus botnets with a centralized command and control server, peer-to-peer botnets are difficult for security teams and law enforcement to take down. It has been a pest at many enterprises, detected on corporate systems and systems at universities, defense contractors and government agencies.
Those behind the Gameover Zeus botnet are believed to be the most aggressive, infecting machines and recruiting money mules to drain bank accounts in the United States and Europe. The gang uses a number of tools including the Black Hole Exploit toolkit, an automated toolkit believed to be the source of many financially motivated attacks and DirtJumper, used to DDoS the financial institutions when looting a victim's bank account.