Friday, July 11, 2014

Gameover Zeus is back

I have received multiple email spam this afternoon, all with the following pattern:

Payment to <email>
Random order number and purchase amount
Link to Dropbox

The download link goes to variations on https://www.dropbox.com/s/xxx/Invoice_294.PDF.scr?dl=1. The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen).

This is a different subject, hash, and detection from what Malcovery reported yesterday, but is still consistent with the Gameover Zeus botnet.

If you receive this spam, don't click the link.


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen