Early this morning a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, whcih should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.
The attached file contains 2 actual files inside. One is an scr file and the other is a pdf file of a fake invoice. The first interesting thing was that the file had a .zip extension, but it was actually a Rar file (First few bytes are RAR! instead of PK for zip).This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive. Rar malware is much less common that zip malware since zip files work natively on most systems.
So if you didn’t have a program to extract Rar files, the archive couldn’t be extracted.
The fake Spreadsheet in the archive is the scr executable. The file shows a compile date of 5/25/2014 and has a VirusTotal score of 3/52 AV engines. Upon opening the file, it turns out it is a Trojan downloader and it reaches out to the internet (126.96.36.199; Russian IP) and downloads a 220kb “1.exe” file that had an Amazon logo for an icon. This file has the same compile date as above and a capture rate of 5/52 on VirusTotal. The AV engines classify it as a Zbot. When running this exe, it tries to reach out to another Russian IP but no connection could be established.
The zbot is a common piece of malware we see due to its main purpose of being built to steal money, meaning it can be very profitable for the people behind malware campaigns. A good bit of advice with password protected zips is that if the password is in the email, that sort of defeats the whole reason of being secure and having a password. I would suggest people be cautious of any files from unknown senders but especially wary of password protected zips with the password in the body. Using a protected zip is a common way for malware authors to try and sneak through any malware filtering a company may be using.
Currently we are blocking this malware with over 40,000 hits so far this morning.