We first noticed this campaign in the UAB Spam Data Mine with a spam email message with the subject "you vacancy".
The body of that email read:
Thank you for the chat yesterday, it really helped me get a clearer idea
of recruitment as well as exploring any potential opportunity.
I have just spotted a mistake on the CV I sent in which my email was incorrect.
Apologies for any inconvenience caused if you have already sent me any information on anything we discussed.
My CV is an updated!
CV with the correct email on this link: http://good-resume.info/mycv.docx
The exact same email has also been seen in the UAB Spam Data Mine with several other subjects today:
|108||Speech of welcome|
The final link there that LOOKS like its going to download a Microsoft Word document, actually retrieves a file with the name:
The properties on that document claim to be:
BitDefender Management Console
The current detection rate on the malware at VirusTotal is 16/43, meaning that only 16 of 43 anti-virus products identify this as malware, although only one is calling it "zbot". Here's the VirusTotal Report for md5 = 10fd124206b15f878240f22a30eaf9fe
Our copy of the malware came from a computer with the IP address 184.108.40.206, which has been in bad company for some time. The IP is located on China Beijing Chinanet Jiangsu Province Network. Another example of Russian-speaking crooks hosting their malicious servers in China.
According to those great guys at ZeusTracker, that IP has been used for some really bad stuff.
leadingcase.cc (Confirmed Zeus)
goldfieldforu.cc (Confirmed Zeus 8/24)
youmoneyway.cc (Confirmed Zeus 8/24)
iwfybfywi.com (Confirmed Zeus 8/19)
whiteagngo.com (Confirmed Zeus 9/2)
hotsku.com (COnfirmed Zeus 9/1)
askuv.com (Confirmed Zeus 9/2)
roundhome.net (Confirmed Zeus 8/24)
caramelloinze.net (Confirmed Zeus 9/2)
olandik.net (Confirmed Zeus 8/20)
instamfan.net (Confirmed Zeus 7/28)
tjkleen.net (Confirmed Zeus 8/9)
incornew.net (Confirmed Zeus 7/30)
jocudaidie.ru (Confirmed Zeus 7/15)
dahzunaeye.ru (Confirmed Zeus 6/23)
railuhocal.ru (Confirmed Zeus 6/11)
purplepron.ru (Confirmed Zeus 8/15)
cahgofoneu.ru (Confirmed Zeus 8/31)
iveeteepew.ru (Confirmed Zeus 6/23)
hazelpay.ru (Confirmed Zeus = 5/27)
We've got quite a few more details that we've already shared with law enforcement, but we wanted the public to be advised as well.
If you are a spam researcher and can tell me what botnet this is, please shoot me a note at 'gar at cis dot uab dot edu'. Here are some of the top sending IPs for this group: