More ZBot

The banking trojan known as ZBot has been relentless these past couple of months. Just a few moments ago we began seeing its latest offering, and this time it was delivered addressed to us(as well as others), well sort of. Aside from the fact that these emails were addressed to invalid users at AppRiver's domain, they were heavily customized to appear as if they were coming from within the security center of AppRiver[dot]com. As you can see, the sender is alerts@[recipient domain], and the link in the email is appended with the recipient domain as well in an attempt to obfuscate the actual landing pages which currently number less than 10, but are coming in at around 800 pieces per minute, per domain.If the victim falls for the lure and clicks on the link, they are taken to a page that informs them that they need to update their Adobe Flash player and provides a second link. This link downloads another copy of the ZBot trojan, this time disguised as flashinstaller.exe. This campaign is currently active, so be careful as they add more domains, currently we have all of these blocked.