New Zeus Variant claims to be from Australian Taxation Office

Posted Monday, October 17, 2011 12:53 PM by hwaldron

The significant aspect of the new Zeus attack is it's creation from the special exploit kit . While it currently only targets Australian users, there is a potential for it to be used in other locations as well.

TREND LABS - Another Modified ZeuS Variant Seen in the Wild

QUOTE: This new version, detected as TSPY_ZBOT.SMQH spread around late September through spam that claims to be from ATO (Australian Taxation Office). The spammed messages contain a malicious link, which when clicked directs users to a malicious website that serves the BlackHole exploit kit. The exploit kit, in turn, downloads a variant of this new ZeuS version.

Like LICAT and ZeuS, this new variant also seems to be crafted by a private professional gang, probably the same creators of LICAT, or affiliated with them at least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.  Although the spammed messages only target Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign.


No Comments