Date: 11 January 2012
Click here for printable version
AusCERT has started receiving spam messages reporting to be from US-CERT. These messages appear valid, despite the lack of a PGP signature, and somewhat ironically refer to an investigation into a phishing email incident which even includes a fake incident tracking number. The emails contain a short message about the phishing email and direct the user to a report in an attached file for more information. This attachment is a .zip file containing an .eml.exe file, which in turn contains an infector for the Zeus-bot trojan malware.
To date we have received two separate emails in connection to this spam, one from an .ru domain and one from an .info domain. These two emails are almost identical but do contain different case numbers and a differently named .zip attachment. Both attachments contain a file named “US-CERT Operations Center Report.eml.exe”. Upon execution this file will infect the user with the Zeus-bot trojan malware.
Just goes to prove that you should not trust unsolicited emails, even from a CERT.
The report on the malware attachment from Virus Total:
The Symantec description of the Zeus-bot trojan malware:
A Sample of the spam message:
“US-CERT is forwarding the following Phishing email that we received to the APWG for further investigation and processing. Please check attached report for the details and email sourceUS-CERT has opened a ticket and assigned incident number PH0000000723968. As your investigation progresses updates may be sent at your discretion to firstname.lastname@example.org and should reference PH0000004914674.Thank you,US-CERT Operations Center888email@example.com http://www.us-cert.gov”