About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Attackers Go Back to School: Phishing From .edu Leads to ZeuS

On October 28th, several of our employees reported a wave of suspicious emails. The most peculiar of the bunch originated from an American university. Here is a screenshot of the phishing email:

Figure 1 Phishing Email

Figure 1 — Phishing Email

Analyzing the email headers revealed some interesting information: the attackers sent the phishing email from within a compromised .edu domain.

Figure 2 headers

Figure 2 — Redacted headers from phishing email

For the malware, the attackers installed a version of ZeuS. We can tell this because the attackers downloaded a .bin file (very typical of ZeuS, Figure 3) and the IP address was listed in ZeuS tracker. (Figure 4)

Figure 3 Wireshark screenshot

Figure 3 — Screenshot of Wireshark capture attempting to download .bin file

Figure 4 ZeuS tracker

Figure 4 — Screenshot of ZeuS tracker for the IP address

As of the time of writing, the .bin file from the /boom/ directory could not be reached.

Why is delivering malware from a university domain such an interesting tactic? Most universities can be trusted to send legitimate emails, so their IP addresses don’t make it onto vendor blacklists, and universities typically have faster Internet to accommodate the large number of students accessing the Web, streaming Netflix, and gaming online. The university used in this wave of attacks currently has between 25,000-30,000 enrolled students. Lots of bandwidth from a trustworthy source gives attackers an appealing platform to use to deliver malware. In this case, the attackers may not have directly attacked the university, but could have compromised a system which just so happened to reside at the university.

For this attack, attackers used a zip file which contained an executable – not a new technique by any means. For indicators of compromise, an enterprise can search for traffic going to the 155 IP address, emails based off of the subject, or emails coming from the Hotmail account in Figure 2.