The Symantec security blog has reported a series of malware and phishing operations cashing in on Ebola concerns. Since the outbreak of the actual virus in December 2013 and increasing media fervor in the past couple of months, the Ebola virus has attracted worldwide attention.
Recent news headlines have discussed the World Health Organization (WHO)’s approval of experimental pharmaceuticals, a state of national health emergency in Guinea, and the announcement that the first vaccination human trials may begin as soon as September.
So far, Symantec cites social engineering as the framework behind one phishing and three malware attacks capitulating on Ebola-related concerns. One such attack sends unsuspecting users an email imitating a health report on the current state of the Ebola virus, consequently infecting users with the Trojan.Zbot malware. To date Zbot has been observed in most major Windows operating systems from Windows NT (1993) up to Windows 7.
Zbot (also known as “Zeus”) targets confidential information. It uses a fairly common Trojan toolkit that provides cyberattackers with “a high degree of control over the final executable;” that is, the operation and behavior of the finished malware.
According to Symantec’s Security Response write up on Trojan.Zbot, Zeus typically administers itself “through spam campaigns and drive-by downloads.”
The Ebola report is reminiscent of past instances in that attackers regularly use social engineering as the basis of their spam campaigns, impersonating credible sources such as Microsoft or the Federal Deposit Insurance Corporation (FDIC).
The write up explains Zeus’ appeal to attackers by describing its level of customization:
It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.
Although Symantec gives Zeus a high damage level, it ranks low in both risk and distribution levels (likely due in part to increasing awareness from the general public regarding social engineering and spam campaigns). Symantec’s latest Daily Certified anti-virus update was released August 17, 2014.
Another similar campaign distributes an email claiming to originate from a major telecommunications provider. This email prompts users to download a presentation (typically with extensions .pdf.zip) that will consequently infect the target computer with malware Trojan.Blueso. Unlike the Zbot Trojan, Blueso itself is not the final goal in this attack; instead, it injects spyware Win32.Spyrat into the victim’s web browser and proceeds to use keyloggers, capture screenshots, and potentially activate the user’s webcam.
The final email campaign takes advantage of widespread hype surrounding experimental drug Zmapp. The drug first made headlines after its arrival in Liberia on August 13, 2014 to treat two doctors who had become infected with Ebola. Although the drug had not been authorized by the FDA and raised ethical questions regarding its use without testing, Newsweek reports that “the clamor for [Zmapp] is strong given that the contagious hemorrhagic disease is killing more than half of its victims and there is no known cure or vaccine.”
This last malware attack plays to Zmapp’s so-called “glimmer of hope,” announcing that Ebola has been cured and encouraging the recipient to share the news with as many people as possible. Rather than a cure, however, all these victims receive is an infection via the Backdoor.Breut email attachment. Breut records keystrokes and has the potential to continue downloading additional files to the infected computer.
Meanwhile, a more convincing phishing campaign actually impersonates major news network CNN, incorporating its official logo into the email body. This email includes links to an as of yet “untold story,” additional precautionary measures, warnings against terrorists who plan on spreading the Ebola virus to major cities, and a provocative line implicating the US government in an apparent conspiracy surrounding the source of the outbreak.
Any of the included links direct the victim to a separate webpage prompting the user to enter email address information. Users are then directed to CNN’s homepage, left to wonder about where the urgent news story went and what just happened to their login credentials.
As always, Symantec warns readers to double-check the validity of email sources and to “be on guard for unsolicited, unexpected, or suspicious emails.”