Pages

Wednesday, 28 September 2016

Double trojan

Subject: There has been a change to your parcel delivery

I get a lot of email about parcels. I'd guess that a lot of people in the internet receive a lot of parcels, so an email about "your parcel" stands a good change of not being ignored. The interesting thing about this one, is that it came with two files.

encryption_key.zip
tracking_encrypted0928.doc

The explanation in the email was "The new privacy policy. All personal information is encrypted in attached document.".

Neat idea. Except that the encryption_key.zip file contained a javascript program, obfuscated, and I can't be bothered to reverse engineer it, oops, I mean stare at it until I understand it, but it references "http://worinmena.com/l.exe" which I'm guessing gets downloaded and does something unpleasant.

I sent encryption_key.zip to Virustotal, and no product flagged it. I also tried tracking_encrypted0928.doc, which was first submitted about an hour before I received it, and 4/55 products flag it as malware.


No comments:

Post a comment