Zeus has been very busy lately and today is no different. In the past few years we have seen the Zeus Trojan become the one of most prolific threats being distributed. This week cybercriminals are using a familiar tactic to spread the infection. Emails pretending to come from TurboTax are circulating at very high volumes. Of course we see this (tax related) tactic used among many varying malicious spam campaigns this time of year. The social engineering tactic is nothing new but given its continued use, it is evidently quite effective.
The messages are crafted quite well and very closely resemble a real email from TurboTax itself. The messages include the same graphics that TurboTax uses along with a link to the real website. Although we have been seeing a huge increase in malware infections being delivered via malicious links over the past few years, these messages contain an attachment named TAX_(random number).zip.
Here is a look at one of the messages:
The attached archive contains an executable named TAX_3919473[dot]exe. Once clicked the malicious code begins hiding itself as well as checking to make sure it is not being run in a debugger or sandbox. If sandboxing is detected the malware will then terminate its actions. Once satisfied that it is not [being run in a sandbox] it goes to work stealing browser cookies, history, Outlook password as well as installing a backdoor. This variant is currently exfiltrating the data to an IP located in Malaysia via port 80. The Trojan now lays in wait with the ultimate goal of stealing your banking or credit card credentials. You can avoid infection from this threat by ceasing to click on links and attachments included in unsolicited email. Those utilizing our secure email solutions will never see it since we are blocking all current variants of this threat.