The Zeus banking Trojan has been around since early 2007, and its strains went on to execute MitM attacks, log keystrokes and grab data entered in online forms.
It is usually spread via exploit kits (drive-by-downloads), phishing campaign, and social media, but Trend Micro researchers have lately come accross a variant that employs an additional spreading vector: removable drives.
In this specific instance, the spyware version is initially delivered via a PDF exploit which is disguised as a sales invoice document.
Possible victims that try to open the file with Adobe Reader are confronted with a notification that says that it can’t be opened because “use of extended features is no longer available.”
The malware then contacts its command and control servers (C&C) to download an updated copy of the executable (if there is one available), but right away after it checks whether removable drives are connected with the computer, and will drop a copy of itself in a hidden folder created on the drive, and creates a shortcut to it.