The Zeus banking Trojan, which is capable of stealing account credentials and draining bank accounts, is spreading via a new phishing campaign that masquerades as an antivirus security update, according to security vendor Sophos.
The UK-based security firm last week said its antispam filters had detected the phishing threat, which uses a variety of well-known antivirus names to trick users into installing the malware. The messages are completely bogus and solution providers should always advise clients to never believe emails purporting to contain an important security patch, Sophos warned.
"It's all a pack of lies," wrote Paul Ducklin, head of technology in Sophos' Asia-Pacific region. "Neither Microsoft nor any other reputable company would send out security updates as email attachments."
Cybercriminals have used a long line of phony security updates to trick users into opening phishing attack attachments. Several years ago, Microsoft issued a security advisory warning users about a phony Windows update that was spreading malware. Phishing attacks also have used Microsoft Patch Tuesday advisories to trick users into opening attachments.
According to Sophos' analysis, if users are tricked into opening the latest phishing campaign, the file attachment will be named "Hotfix_Patch." The file contains the malicious code that targets Windows users, adding itself to the system registry so it executes every time the system is rebooted, said Ducklin.
In addition to Sophos, the messages are using popular antivirus names including AVG, Kaspersky Lab, Windows Defender and Windows Security Essentials.
The malware installed on a victim's system is a variant of Zeus, which should be detected by most antivirus engines. Zeus malware infections increased in 2013, according to statistics provided by Trend Micro. The malware, which first surfaced in 2007, continues to be incorporated into automated attack toolkits.
Cybercriminals constantly modify the malware, creating different variants in an attempt to evade antivirus and other signature-based security detection technologies, Trend Micro said. From February through the middle of May, the firm said it detected hundreds of thousands of infections.
Trend Micro said last month that Cryptolocker, the malware that encrypts victim's files and demands payment for the decryption key, was linked to the Zeus Trojan family.