By Andrew Brandt
I didn’t want to let too much time pass before I wrote about a new Zbot-like bank phishing Trojan variant that came across my desk last week. The keylogger started arriving the first week of February as an attachment to a spam email designed to look like it came from United Parcel Service. No, the old malware trope of spammed shipping invoices is not dead yet, Alice, but we’re going to follow this one down the rabbit hole anyhow.
The brief message had a Subject line of “United Parcel Service notification” followed by a random, five-digit number, and a file named USPS_Document.zip attached to the message. Why spammers seem to confuse the US Postal Service with UPS eludes common sense, but I think it has been made abundantly clear by now that, by and large, the people who send these kinds of files around aren’t the sharpest tacks in the box. The HTML body of the message indicated that the .zip file contains a tracking number, but that’s just part of the ruse.
The Trojan is readily identified by its appearance. It uses an old Adobe PDF document icon, but the programmers picked a version of that icon with an X drawn over the top. D’oh. The file also throws an error when run in a virtual machine that forces the VM to bluescreen, but that didn’t affect our ability to analyze the file. We could execute it and observe its behavior without a problem. This new Trojan installs services that remain memory resident after the installer has run, dropped its payloads in the Application Data folder, and deleted the original copy of itself.