by Dave Michmerhuizen & Luis Chapetti – Security Researchers
Strategic Forecasting, Inc., also known as Stratfor, is a private intelligence-analysis firm based in Austin, Texas. In December of 2011 the hacker collective Anonymous compromised the company newsletter subscription database, making off with thousands of stolen logon credentials and credit card numbers.
Internet scammers are quick to fasten onto events like these, and the spam traps at Barracuda Labs have turned up messages targeting Stratfor subscribers. With a subject of “Stratfor: Beware of false communications”, these simple emails contain no text and carry an attached PDF file
The PDF file is not malicious, however; it contains a poorly worded message encouraging you to download an antivirus package (supposedly McAfee) and scan for a specific virus named Win32Azee.
There is no virus named Win32Azee, and the download isn’t McAfee antivirus. It isn’t an antivirus at all. It is a file stealer that McAfee identifies as PWS-Zbot.gen.ry. You do have to suspend your better judgement, download the file av.zip from a website in Poland and then give it permission to run and install itself. However, once that is done the malware gets right to work gathering up both files and stored passwords and sending them to a central drop point.
The first step shown above is the gathering of usernames and passwords stored on the local system. After these are are uploaded, the local hard drives are scanned for .PDF, .XLS and .DOC files. Any files found are also uploaded to the remote site.
This malware doesn’t use any fancy encryption or obfuscation to transmit the stolen files. Instead, it uses the old-school FTP protocol which is in clear text. We were able to log into the file repository and see the files stolen from our test machine.
We were also able to see that a non-trivial number of people have already done this. Each directory name in the middle pane above corresponds to someone who has downloaded and run the malware.
Stratfor charges for their particularly valued intelligence, so subscribers are a pre-selected set of important individuals. It’s no surprise that malware distributors and data thieves are targeting them a second time.
Our advice is the same as it would be for any email user. Don’t click on links in emails, no matter how convincing they might seem, and only install software from trusted verified sources.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.