700,000 Snail Mails Sent to Victims Of The 2018 Zbot Trojan Virus
The 2018 mass laptop virus infection affecting the state of Alaska which has affected more than half a million users is still not a closed case. Alaska’s Division of Public Assistance has publicly disclosed their claim that the virus infection though very rampant did not cause any information leaks or breach of user information. However, it is still prudent for the state to send the affected 700,000 users with a snail mail message, one for each victim.
“We don’t have any reason to believe their information was compromised, but because their information could have been compromised we had to let them know,” explained Shawnda O’Brien, Alaska’s Division of Public Assistance.
The letters are dated Jan 7, 2019, expressing the deep regret for the issue, including all the details at that time about the progress of the investigation of the issue. The infection started from April 26 and peaked till April 30, 2018.
“Information contained in the database includes: names, Social Security numbers, dates of birth, addresses, health information, benefit information and other types of related information,” emphasized O’Brien.
The specific virus of that caused the problem is the Zbot Trojan, with the use of a phishing email as the channel of infection. “As soon as our IT folks realized what was happening, they shut [the laptop] down so it couldn’t go any further, but at that point it had gotten into several layers of our security. In this case we were able to catch it, but by then the damage had already been done. Due to the volume of information and the data to be researched, we enlisted the assistance of the FBI. It took them several months to get through; it was a pretty extensive task that they had. They were not able to really identify where the source of the virus came from,” said O’Brien.
Zbot is not exactly a stranger, and its multiple variants have been infecting users’ systems with successive campaigns for years. Once the machine is infected, it is responsible for collecting bank credentials and, on the other, turning it into a zombie computer used to sending more spam messages containing itself, for further propagation. POST requests with information of the infected system happen to have an address in Ukraine, which is probably where the criminals have located their command and control center and are managing all the bots obtained so far, and collecting information about stolen bank credentials.
In this case, it is observed that the malware makes connections to two specific domains that have several IP addresses. These addresses are used by the bot to report their status and receive orders from their command and control center.
The attachments are one of the following:
3. 2017 Fra-6086.xls
5. Keys.exe (detected by ESET as a variant of the Win32 / Kryptik.DKHB Trojan)
6. utilite.exe (detected by ESET as a variant of the Win32 / Kryptik.ATND Trojan)
Known Hashes of Zbot