Criminals use bogus invoices to set virus trap - Update
Criminals are currently sending out a large number of bogus order confirmations that are designed make recipients open the attached malware. The attackers appear to be using stolen online store customer data to address email recipients by their real names.
The criminals pretend that the email recipient has placed an order worth several hundred euros at an online store. To make things difficult for spam filters, they vary the store names. According to emails obtained by The H's associates at heise Security, these recipients have allegedly shopped at sites including comstern.de, nierle.de and elektronikmax.de. The contact details in the email signature appear to be randomised, for example, the post code provided doesn't match the city in any of the cases.
Users who receive an order confirmation or invoice that they can't associate with a purchase should not open these file attachments under any circumstances. Unfortunately, virus scanners don't offer reliable protection in this case: when tested by heise Security, the rechnungsdaten.zip (containing rechnungsdaten.exe) attachment that is sent out in the current attack wave was only identified using its signature by 5 of a total of 42 anti-virus engines – about seven hours after it was sent. In this case, good behaviour monitoring is invaluable. The malware that is being used appears to be a variant of the ZeuS bot.
Incidentally, it isn't just invoices in ZIP or EXE format that should make users suspicious: attackers have also been circulating bogus Deutsche Telekom and Vodafone invoices as PDF attachments that try to infect computers via an old security hole in Adobe Reader. This attack scenario is also possible using Office documents.
Update: Contrary to initial assumptions, the malware isn't a version of the ZeuS bot, but instead appears to be a variant of the BKA trojan that describes itself as a "Windows-encrypting Trojan". Once installed, it claims to have encrypted the contents of the hard drive and demands that users pay a €100 ransom via Paysafecard. It is highly unlikely that, if the ransom is paid, the trojan will actually unencrypt any files or be removed; users are advised not to pay under any circumstances. For those who have already been infected, Avira already has a guide for removing the trojan.
(crve)