The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, which should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware impossible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.
The attached file contains two actual files inside. One is an scr file and the other is a pdf file of a fake invoice. The first interesting thing was that the file had a .zip extension, but it was actually a Rar file (First few bytes are RAR! instead of PK for zip). This could have been an attempt to avoid a scanner, or an accident when they created the archive. Rar malware is much less common than zip malware since zip files work natively on most systems.
The fake Spreadsheet in the archive is the scr executable. The file shows a compile date of 5/25/2014 and has a VirusTotal score of 3/52 AV engines. Upon opening the file, it turns out it is a Trojan downloader and it reaches out to the internet (126.96.36.199; Russian IP) and downloads a 220kb “1.exe” file that had an Amazon logo for an icon. This file has the same compile date as above and a capture rate of 5/52 on VirusTotal. The AV engines classify it as a Zbot. When running this exe, it tries to reach out to another Russian IP but no connection could be established.
Zbot is a common piece of malware we see due to its main purpose of being built to steal money. A good bit of advice with password protected zip files is that if the password is in the email, that sort of defeats the whole reason of being secure and having a password.
I would suggest people be cautious of any files from unknown senders but especially wary of password protected zips with the password in the body. Using a protected zip is a common way for malware authors to try and sneak through any malware filtering a company may be using.
Author: Jonathan French, Security Analyst, AppRiver.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.