Fake invoices in personalized emails deliver ransomware

When a business, social network or any other online service that you use or have signed up for sends you an email, they address you by the name you provided. This is one of the things that usually differentiates real email from spoofed malicious ones, but there are exceptions.

Spear-phishing emails are one, and the other is emails in which attackers extract likely names from the email address they send the message to, in the hopes of guessing the right one.

Avira’s Sorin Mustaca recently received an email that falls in this latter category:

The email has purportedly been sent by German online shopping portal hse24.de and tried to convince him to open the attached file (allegedly the invoice for things he bought).

The email “contains in the body the first and last name taken probably from the email address, thus being very convincing for the unaware user,” he pointed out. “The same formula is used to name the attachment – a zip archive with the name ‘Rechnung .zip’ / ‘Invoice .zip’.”

He also shared that the the ZIP file seemingly contains another ZIP file by another name, which in turn holds an executable created with Visual Studio containing the Reveton ransomware.

“This method of packing the malware is very clever, because very few security solutions on gateways and most certainly no local solution, scans on more than one layer recursively inside archives. Using this technique the cybercriminals ensured that the payload goes through the security checks on its route to the user’s inbox,” he explained.