Cybercriminals are perpetrating a spam campaign by sending out emails with malicious attachments containing a Pony downloader that uploads a Zeus Trojan to victim machines while also leading users to a number of compromised domains housing fake Adobe Flash Player updates in order to dupe the unsuspecting in to installing a variety of malware strains on their computers.
The emails, according to a report from GFI Labs, are purporting to come from both the Better Business Bureau and eFax Corporate.
It appears as if the Pony downloader downloads the Zeus banking Trojan onto the now-infected system immediately after it is opened from the email attachment. Meanwhile, the Pony downloader begins simultaneously stealing file transfer protocol related passwords from its host machine and phones home to a malicious domain hosting the fake Flash downloader. This is just the latest iteration of a scam from earlier this month where users were getting phished with a fake Chrome downloader. GFI Labs discovered the address hosting Blackhole 2.0, a search hijacker called Medfos, the Simda rootkit, and a rogue AV bug called WinWeb in addition to Zeus.
That address is home to at least five other compromised domains according to GFI Lavbs.