Barracuda Engineer and Research Scientist Luis Chapetti (@cudasecurity) is warning us of a new phishing attack that he discovered on Friday afternoon. The email impersonates an official secure message from Bank of America Merrill Lynch.
This initiates a download of the “SecureMessage.zip” file, which contains Spyware/Win32.Zbot. This trojan takes the following actions on the user computer:
- Starts servers listening on 0.0.0.0:6710 and 0.0.0.0:6506
- Performs an HTTP GET of malkanat.com/images/Targ-1605USdp.tar
- Collects MachineGuid, DigitalProductID, and SystemBiosDate
- Steals private information such as login data, that is transmitted through browsers
- Installs itself for autorun at Windows startup
This message shares is similar to other “secure message” emails that we have seen in the past year, in that it shares these characteristics:
- The “secure message” attachment is an executable or a zip file
- The user is directed to open the attachment with a web browser
- It directs the user to a Dropbox link which contains the malware
This phishing attack has been used against customers of other banks as well. Citibank, Key Bank, HSBC, and NatWest have all been impersonated for this type of attack.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.