The attack, launched on 13 March, uses an email purporting to come from the UK health watchdog, the National Institute for Health and Care Excellence (NICE), to tell the recipient that their blood sample tests show signs of cancer.
People who click on the attached ‘test results' are landed with a Trojan that researchers believe is a variant of the notorious Zeus banking malware family.
NICE says it was flooded with calls, emails and tweets from concerned recipients of the email on 13 March. Based on this, a NICE spokesperson told SCMagazineUK.com that “it's likely that there are thousands that would have got it. We're still looking into the matter and we've reported it to the police to see if there is something they can do to investigate.”
But security specialist AppRiver said it tracked around 300,000 “individual pieces from this campaign” and said the entire campaign would have been much larger.
NICE has posted highly visible warnings on its website that confirm: “NICE is aware that a spam email is being sent to members of the public regarding cancer test results. NICE is advising people who have received the email - the subject line of which is, important blood analysis result, to delete it without opening it and not to click on any links. We are currently investigating the origins of the message with the police.”
Security researchers have leapt on the email to analyse its payload. Josh Cannell, a malware intelligence analyst with Malwarebytes, blogged on 13 March that the malware is a variant of the Fareit Trojan that can steal passwords and launch denial of service (DoS) attacks.
Malwarebytes identified two of its files as “Spyware.ZeuS.GO” and speaking to SCMagazineUK.com on 14 March, Cannell said the download “looks very similar to Zeus in its behaviour so I can almost guarantee it came from similar source code”.
Commenting on the attack, he told us: “It just goes to show that cyber criminals aren't afraid to use anything sensitive like cancer, or anything else that could be life-threatening, to instil fear in the victims, to deliver their malware. It's pretty low to resort to something like ‘hey you might have cancer' just so they can get their password stealer on your computer.”
Cannell added: “It really goes to show that they have no boundaries, they have no limits. They use whatever will get the job done.”
Meanwhile AppRiver senior security analyst Fred Touchette told journalists on 14 March that the email zip file download takes control of the victim's PC, checks to see if it is being analysed, duplicates itself, and steals and transmits browser cookies and MS Outlook passwords - “all very common behaviour for the Zeus family”.
Touchette described the attack as “a rather disturbing attempt to get users to click on malicious attachments”.
He agreed with Malwarebytes' analysis of the sample, telling SCMagazineUK.com via email: “Yes, some AV engines recognise this sample as Fareit. Other scan engines are also recognising it as Bredo and/or Artemis. This malware mimics a certain behaviour of Zeus, however it doesn't appear to be Zeus, nor does it currently act as a downloader of Zeus.”
According to AppRiver, the campaign was directed solely at domains with a “.co.uk” address so the targets were all meant to be in the UK. The attack began at around 9am GMT on 13 March, peaking at about 11am.
Touchette advised anyone targeted by this or related Zeus-based campaigns: “Watch out for some of the common flaws that these malware campaigns employ - such as addressing people by their email addresses as opposed to their actual names. Often, generalities are used in the greeting with no names at all. This is a big red flag, especially when the content is trying to appear so personal. If there are any questions as to the legitimacy of any email, contact the supposed sender directly to authenticate.”
Last month (12 February), SC UK reported that research from Dell SecureWorks shows that Zeus and the related Citadel malware were the two biggest banking botnets of 2013, targeting 900 financial institutions worldwide. Zeus is also used to install the CryptoLocker ransomware.