Citibank Paymentech Electronic Merchant Billing Statement Spam Infects Users with ZBot

New spammed malware campaign aims at Citibank Paymentech clients to collect passwords and open backdoors for remote attackers to dispose of compromised systems at will.

This new campaign consists of random e-mails allegedly sent by a Citibank billing department. The electronic messages deliver as attachment an archived document hiding an executable malicious file.

In the body of the message, scammers ask recipients to avoid sending a direct reply and to look instead for contact details in the attached Statement ID (plus a string of random numbers).

Instead of a billing statement, the attachment contains one of the numerous variants of the Zbot malware ready to disable the system’s firewall, snatch passwords and open backdoors so remote attackers can reach and control the compromised machines and download further malware.

Bitdefender detects the attachment as Trojan.GenericKD.973769 and protects its customers from the menace.

Hoax Slayer reported a similar attack against Citi customers here.

It’s been barely three months since the last spam campaign targeting Citi customers for sensitive data serving people e-mails with “You have received a secure message” that was delivered with a dangerous securedoc.zip attachment.

The e-mail message in the current campaign is sloppy and messy, which should give even the untrained eye a sense of distrust and discourage readers from opening the malicious attachment.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the spam samples provided courtesy of Daniel ICHIM, Bitdefender Spam Researcher.