Fake emails designed to distribute information-stealing malware could end up being a huge hassle for small and medium-sized businesses (SMBs), researchers said.
The attack starts with an email which informs recipients their employment with the company they work for has been terminated due to policy violations, said researchers at Bitdefender.
To make everything more legitimate-looking, the name of the targeted company may end up featured in the subject line and the body of the email, said Bitdefender Security Specialist Bianca Stanescu.
The name of the file attached to the phony emails can contain strings like “infringement,” “interruption,” “breach,” “infraction,” “violation,” “term” or “disturbance.” This attachment is not a .ZIP file like other spam runs. Instead, the attackers are using the ARJ file archiver.
Once the attached file ends up decompressed and executed, the malware drops and opens a clean RTF document containing information on discipline programs and company policy violations.
The threat connects to German, Brazilian or French websites, after which it starts communicating with its command and control (C&C) server to receive further instructions from the attackers. The Zeus (Zbot) Trojan, which allows bad guys to steal banking information and login credentials from infected devices, then downloads onto infected machines.
Bitdefender has seen several Trojans attached to bogus emails. One of them is the downloader detected by the security firm as Trojan.Agent.BFIO. At the time of writing, only 20 of the 53 antivirus engines from VirusTotal detect the threat based on its signature.
The spam emails originate in countries such as Spain, Korea, Germany, the United States, the United Kingdom, France, Italy, Russia, Portugal and Saudi Arabia. Bitdefender researchers said servers in various countries end up abused in an effort to avoid law enforcement officials from tracking them down.
Stanescu said most of the targeted companies are in the United Kingdom, the United States and Germany. The security firm detected and blocked several hundred infections so far.
In addition to the fake job termination emails, the attackers are also leveraging “overdue invoice” and “fax” spam messages using similar social engineering techniques to distribute the malware.