« Persistent and Escalating Malware Delivery Campaign | Main | Clickbait Supreme »

March 29, 2016

The same underlying campaign discussed in this recent post continues to spew its trickery to try to get unsuspecting recipients to load a very bad Trojan into Windows PCs. Even through the message content varies quite a bit, there is a similar look and feel to them all.

Most of the messages refer to invoices supposedly owed by the recipient or payments intended for the recipient. Some examples:

Subject: FW: Overdue Incoices [sic]

Dear [recipient username],

Please find attached copy updated statement as your account has 3 overdue incoices.
Is there any reasons why they haven’t yet been paid?

Best Wishes,
Lakeisha Oconnor
Chief Executive Officer
[attachment: [recipient username]_copy_346509.zip]

Subject: Requested receipt ID:736685

Dear [recipient username],

Please find attached your receipt, sent as requested.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones.

Kind regards,
Harland Floyd
Key Account Manager
[attachment: 6DC0C_ [recipient username]_736685.zip]

Subject: CCE29032016_00076

[attachment: CCE29032016_00076.rar]

Sent from my iPhone

Subject: FW:

Your transaction has been successful. More information in the document below.

[attachment: copy_[recipient username]_744004.zip

Subject: Bill N-590C2D

Dear [recipient username],

Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.

Best regards
Demarcus Leach
Key Account Director Municipalities
[attachment: [recipient username]_e-bill_590C2D.zip]

I had to laugh at the ones that misspelled "invoices" as "incoices" in multiple places. This slip has the hallmark of an author who is more comfortable with a Turkish keyboard (and who fails to proofread his/her output).

As for the messages claiming to come from iPhones, the headers are forged to make them look to originate from the recipient's own email account. But there are a couple of problems when you investigate the headers further. For one, the iOS devices I've been using the past week are all running iOS 9.3, whereas the messages identified themselves as coming from iOS 9.0.2 devices. More tellingly, the messages originated from a variety of South Asian countries—while my butt has been firmly planted in California for months.

Sadly, I believe this campaign is far from over. The minimalist messages—with not much more than an attachment—may be the most hazardous because they pique one's uncritical curiosity. And, of course the threatening email ("you have to pay in 48 hours") can also send the recipient to open the deadly attachment (which could, in turn, load malware that ransomizes all files on the PC).

It's a dangerous world in email-land. Anti-virus software doesn't necessarily cover all bases. Only knowledgeable and paranoid humans have the full power to stop the madness.