The fake CNN Breaking News email arrives in a user inbox as the subject line, “Obama speech to urge ‘refocus’ on economy”. The unsolicited email contains a forged email address appearing to be sent directly from CNN, and its body message contains embedded links that if clicked direct unknowing users to malicious web pages.
Sample email included below:
If the user clicks on one of the embedded links they will directed to a compromised website, such as: hxxp: //ekaterini.mainxx.gr/suggested/index.html
Once on this page, the viewed index.html target webpage will load two malicious javascripts:
By injecting the malicious javascript above, a cybercriminal can silently redirect the user’s browser to load content and malware from a remote server. In this case, a user will be prompted to download a fake Adobe Flash update.
If executed, it will drop a polymorphic file at the following location: %appdata%\random_name_folder\random_name_file.exe
It will also add the following registry entry: HCU\Software\Microsoft\Windows\CurrentVersion\Run Random : "%appdata%\random_name_folder\random_name_file.exe
Users installing the update will inadvertently install a Trojan belonging to the Zeus malware family. The Zeus malware family is well-known for its ability to steal personal and banking information.Thirtyseven4 Antivirus detects this Trojan as ‘TrojanPWS.Zbot.gen’.
Please Note: In addition to Thirtyseven4 Antivirus being up-to-date against this threat, Thirtyseven4 has also proactively blocked these targeted domains via our Browser Protection module.
