This Utility Has Zero Business with Your Mailbox

We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).

As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using HTTP, this threat contacts a known C&C server for Zeus/Zbot in Ukraine. (The Zeus/Zbot family of threats is known to distribute malware using attachments and URLs in spam campaigns.)

These attacks seem to be around in rotation and are intended to confuse users with variations in alert types. Users should not open suspicious attachments because no legitimate site will send an executable to reactivate a mailbox, especially as a zipped file. As observed in the past, these attacks return with URLs instead of attachments in the days following the initial email. Users need to be careful before clicking URLs and/or downloading an application that wrongfully claims to restore/repair/activate their mailbox.