On October 28th, several of our employees reported a wave of suspicious emails. The most peculiar of the bunch originated from an American university. Here is a screenshot of the phishing email:
Analyzing the email headers revealed some interesting information: the attackers sent the phishing email from within a compromised .edu domain.
For the malware, the attackers installed a version of ZeuS. We can tell this because the attackers downloaded a .bin file (very typical of ZeuS, Figure 3) and the IP address was listed in ZeuS tracker. (Figure 4)
As of the time of writing, the .bin file from the /boom/ directory could not be reached.
Why is delivering malware from a university domain such an interesting tactic? Most universities can be trusted to send legitimate emails, so their IP addresses don’t make it onto vendor blacklists, and universities typically have faster Internet to accommodate the large number of students accessing the Web, streaming Netflix, and gaming online. The university used in this wave of attacks currently has between 25,000-30,000 enrolled students. Lots of bandwidth from a trustworthy source gives attackers an appealing platform to use to deliver malware. In this case, the attackers may not have directly attacked the university, but could have compromised a system which just so happened to reside at the university.
For this attack, attackers used a zip file which contained an executable – not a new technique by any means. For indicators of compromise, an enterprise can search for traffic going to the 155 IP address, emails based off of the subject, or emails coming from the Hotmail account in Figure 2.