Wednesday, 2 December 2015

November Invoice # zipped java script malware

Description:


November Invoice # zipped java script malware.

Headers:

Subject: November Invoice #13629864

Message Body:


Hello ,

Please review the attached copy of your Electronic document.

A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.

Thank you for your business.

Attachment filename(s):



invoice_13629864.zip

Name inside File:


INVOICE_main_BD3847636213.js


Sha256 Hashes:

0c41371ceb11fc795451505c516c5645645e1e76b05f402379855fa7c208f82b [1]


Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 1/55)

Sanesecurity Signature detection:


foxhole_filename.cdb: Sanesecurity.Foxhole.Zip_fn34

Important notes:


According to comments on VirusTotal this tries to download TeslaCrypt Ransom ware, which
encrypts your files on your hard drive (Windows operating systems).  

If you do get infected with this and receive a payment popup screen, don't plug in an external backup drive with your old backups on, as they are likely to get encrypted too.

Also be aware that files backed up on Dropbox can also be encrypted.


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

No comments: