Fraud for a law firm that does not exist
Criminals have become accustomed to the fact that in campaigns in which they spread malicious software, they impersonate entities that are reflected in the National Court Register (KRS) and in the activities they actually perform (on the basis of NACE). This time, they did not apply too much to preparing a false message that is the most important part of the attack.
Subject: Invoice Office
Content: In the attachment I am sending an invoice to the order placed.
Please be advised that the attached document is an invoice within the meaning of the Act of 30/05/2018 on tax on goods and services. It can be stored in electronic or paper format after printing.
Broagra Sp. z o. o
In the attached message there is a packed file Fa_2018333.rar , and in the middle there is a bad imitation of the invoice, which does not even have an Adobe icon, so recognizable among non-technical users.
Running the Fa_2018333.vbs file executes the malicious code through the wscript.exe process, which communicates with the server with the IP address 126.96.36.199 located in the United States. Next, depending on various factors, the virus tries to create the powershella scripts and run them - in turn these create the% programfiles% file that will be added to the autostart. The malware will be launched every time the computer is turned on and, depending on the system, it communicates with the server. Final malware may contain the most dangerous form, i.e. a banking Trojan or a backdoor.
Cheater trying to impersonate Broagra Sp. z o. o. under the pretext of an invoice for the order placed. In the subject line "Faktura Kancelaria" tries to create the impression that the message was sent by a law firm - but from a very strange email address [email protected] . Under the subdomain banolli.nazwa.pl, there are still foundations left by the administrator of the Banolli.pl restaurant website. The crook tries to impersonate this company's e-mail address.
Traditionally, spam is sent from the servers name.pl:
The spamer to the nazwa.pl server logs in from the IP address:
.VBS file hack after unpacking the .RAR attachment:
Potential attachment names:
Attempts to impersonate e-mail addresses:
We recommend all our readers our guide on securing computers with Windows . We describe step by step how to protect yourself against malicious attachments. Thanks to these tips, this kind of malware will not be a threat to anyone.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.