Security researchers have discovered a new email attack campaign using public interest in the recent Ebola virus outbreak to infect users with a banking trojan.
The attackers in question have created an email template designed to spoof a World Health Organization (WHO) missive on Ebola, which contains links to three 'factsheets' on how to prevent the deadly virus, according to Proofpoint.
Clicking on one of those links will take the user to a landing page mimicking a genuine WHO Ebola factsheet, which is “almost indistinguishable from the original,” the vendor said in a blog post.
“When the page loads, it requests permission to run a Java applet that will attempt to load a variant of the popular Zeus banking Trojan on the user’s machine,” Proofpoint continued.
“Even with a security warning and suspicious hosting location (wsh3ll.bplaced[.]net), it’s not surprising that some users will click.”
If Zeus is successfully downloaded, it will work as a typical banking trojan, although it also displays some RAT-like characteristics.
“The Remote Access Trojan (RAT) results in ongoing access for attackers, giving them a pathway to install additional malware on the infected PC,” said Proofpoint.
The attack campaign is by no means the first to use Ebola as a lure to entice concerned netizens to click on something they shouldn’t.
A fortnight ago, Symantec reported three malware operations and a phishing campaign using Ebola as a social engineering theme.
One includes the Zbot Trojan, while a second impersonates Middle East telecoms firm Etisalat and features an attachment hiding the Blueso Trojan and information-stealing Spyrat malware.
The third apparently hides the backdoor Breut malware in an attachment claiming to offer news of a cure for the deadly virus.
The phishing campaign in question spoofs a CNN ‘breaking news' email promising information on which regions are affected by Ebola and how to avoid infection with the virus.
Clicking on any links in the email will take the user to a web page where they’re asked to select an email provider and input their user log-ins. These are then sent to the phisher, while the unwitting user is redirected to a real CNN page, Symantec said.