Thanks to the input from Honeyblog.Org providing detailed confirmation related to the earlier ZDNet article, concerning the latest Gozi Trojan exploit involving PDF files attached to email courtesy of the RBN.
The PDF file attached to an email contains an exploit for the recently disclosed vulnerability involving Adobe PDF and the Microsoft reported security advisory (here). As stated within this blog earlier the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi Trojan The exploit which contains shellcode to download a binary from the RBN, the downloaded binary injects itself into several MS Windows processes and collects personal information from the infected PC and sends it to the RBN.
Download binary from IP address 220.127.116.11
Then send your personal data for ID theft to 18.104.22.168
Both 22.214.171.124 and 126.96.36.199 is served by Autonomous System AS 40989 = RBN AS RBusiness Network,
Perhaps more ISPs and users should simply blocklist the whole IP range, in and out?