Attackers Go Back to School: Phishing From .edu Leads to ZeuS

Share Now


On October 28th, several of our employees reported a wave of suspicious emails. The most peculiar of the bunch originated from an American university. Here is a screenshot of the phishing email:

Figure 1 Phishing Email
Figure 1 — Phishing Email

Analyzing the email headers revealed some interesting information: the attackers sent the phishing email from within a compromised .edu domain.

Figure 2 headers
Figure 2 — Redacted headers from phishing email

For the malware, the attackers installed a version of ZeuS. We can tell this because the attackers downloaded a .bin file (very typical of ZeuS, Figure 3) and the IP address was listed in ZeuS tracker. (Figure 4)

Figure 3 Wireshark screenshot
Figure 3 — Screenshot of Wireshark capture attempting to download .bin file
Figure 4 ZeuS tracker
Figure 4 — Screenshot of ZeuS tracker for the IP address

As of the time of writing, the .bin file from the /boom/ directory could not be reached.

Why is delivering malware from a university domain such an interesting tactic? Most universities can be trusted to send legitimate emails, so their IP addresses don’t make it onto vendor blacklists, and universities typically have faster Internet to accommodate the large number of students accessing the Web, streaming Netflix, and gaming online. The university used in this wave of attacks currently has between 25,000-30,000 enrolled students. Lots of bandwidth from a trustworthy source gives attackers an appealing platform to use to deliver malware. In this case, the attackers may not have directly attacked the university, but could have compromised a system which just so happened to reside at the university.

For this attack, attackers used a zip file which contained an executable – not a new technique by any means. For indicators of compromise, an enterprise can search for traffic going to the 155 IP address, emails based off of the subject, or emails coming from the Hotmail account in Figure 2.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.