Kaspersky researchers detected a spam campaign targeting passengers of US Airways with a variant of Zeus Banking Trojan over the last two weeks.
The email purportedly coming from US Airways contains a brief description of the check-in procedure and a confirmation code.
The link 'Online Reservation Details' in the mail leads you to a domain hosting BlackHole Exploit Kit. This kit try to exploit one of the vulnerability in Java, Flash Player or Adobe Reader so that it can run the malwares in victims system.
Once successfully exploited the vulnerabilities, an executable file is downloaded, It can be downloaded under different names — about.exe, contacts.exe and others — and is essentially a downloader. The download connects to its C&C at the URL “176.28.18.135/pony/gate.php”, and downloads and runs the GameOver ZeuS variant.
"At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and ZeuS — was frequently replaced with a new one. The domains remained "alive" for nearly 12 hours, while the ZeuS samples were replaced more often."Researcher said.
"During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS."
The email purportedly coming from US Airways contains a brief description of the check-in procedure and a confirmation code.
 |
| Image Credits to: Kaspersky |
The link 'Online Reservation Details' in the mail leads you to a domain hosting BlackHole Exploit Kit. This kit try to exploit one of the vulnerability in Java, Flash Player or Adobe Reader so that it can run the malwares in victims system.
Once successfully exploited the vulnerabilities, an executable file is downloaded, It can be downloaded under different names — about.exe, contacts.exe and others — and is essentially a downloader. The download connects to its C&C at the URL “176.28.18.135/pony/gate.php”, and downloads and runs the GameOver ZeuS variant.
"At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and ZeuS — was frequently replaced with a new one. The domains remained "alive" for nearly 12 hours, while the ZeuS samples were replaced more often."Researcher said.
"During the short periods of time (a few hours over several days) that I was monitoring what files were being downloaded, I managed to detect 6 modifications of the downloader and 3 modifications of ZeuS."
