Spoofed US-CERT Phishing Report Delivers Malware

 Analysis by: Jona Pereira

We received a spam sample that spoofs its 'From' field to look like an email report from the United States Computer Emergency Readiness Team or the US-CERT. It's a bit of an irony that the sample purportedly came from them since the US-CERT aims to protect the nation's Internet infrastructure. The US-CERT also coordinates defense against cyber attacks across the nation. A screenshot of the spammed message can be seen below.

The email is crafted to appear as a phishing incident report. It is also accompanied by a fake incident number. The email includes an attached .ZIP file, which supposedly contains a more detailed incident report. However, the file contains is actually an executable file named EML.EXE.

Upon further examination, the said file is malicious and detected as TSPY_ZBOT.HUY, which is designed to steal information from users. ZBOT variants typically access a URL where these retrieve a configuration file containing the list of websites these will monitor and steal information.

Some reports note that US-CERT says that the malware is targeting 'a large number of private sector organizations, as well as federal, state and local governments.' This suggests that it targets anti-phishing researchers. However, this case shows that cybercriminals seem to be casting a much wider net by targeting a range of domains and some very consumer-oriented email addresses. Upon gathering more samples, we found samples with random domains which don't belong to any business entity. Thus, this attack may not be targeted to any specific organization.

The people behind this attack may have used US-CERT to make the spam seem legitimate and to gain the trust of potential recipients. US-CERT has since released a public advisory about this attack on their website. We advise all users to be cautious of whatever comes through their email inbox. Always double check the contents of attached files before opening or extracting them.

 SPAM BLOCKING DATE / TIME: January 11, 2012 GMT-8
  • ENGINE:6.8
  • PATTERN:8640