Friday, July 11, 2014

Gameover Zeus is back

I have received multiple email spam this afternoon, all with the following pattern:

Payment to <email>
Random order number and purchase amount
Link to Dropbox

The download link goes to variations on https://www.dropbox.com/s/xxx/Invoice_294.PDF.scr?dl=1. The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen).

This is a different subject, hash, and detection from what Malcovery reported yesterday, but is still consistent with the Gameover Zeus botnet.

If you receive this spam, don't click the link.