Researchers at Websense Security Labs have identified a Zeus trojan that is currently ending up in the email boxes of US and UK government employees, notably those from defense and intelligence agencies. The lab shows evidence in its blog that the primary targets of the campaign are those with email addresses ending in .gov.
The emails have a “National Intelligence Council” subject line and contain links to download what appears to be a zip file for a document titled “2020 Project”, in addition to another URL. Websense said this is actually a Zeus bot, a trojan designed to steal banking data.
“One of them is a compromised organization Web site and the other is located on a popular file hosting service”, Websense noted in its blog. “The bot has rootkit capabilities and connects to C&C servers at update[removed].com and pack[removed].com to report back on a successful infection and to download some archives with DLLs; it also modifies the host’s file to prevent updates from popular anti-virus vendors.”
The Zeus trojan, a favorite among novice hackers for its relative ease of use, is notorious for its data and identity theft exploits when infecting computers. What seems to be a bit unsettling from a national security standpoint in this case is that Zeus may have been used to gain access to confidential or sensitive information from defense and intelligence agencies. “While Zeus normally steals banking credentials, we've also seen Zeus being used in the past in targeted attacks with the goal of stealing documents” said Patrik Runald, senior security manager at Websense Security Labs.
Although Websense has not yet completed its review and analysis of this particular Zeus strain, Runland tells Infosecurity that additional research is ongoing, adding that the trojan “most likely steals documents and uploads to a server.”