Fraud for a law firm that does not exist

Criminals have become accustomed to the fact that in campaigns in which they spread malicious software, they impersonate entities that are reflected in the National Court Register (KRS) and in the activities they actually perform (on the basis of NACE). This time, they did not apply too much to preparing a false message that is the most important part of the attack.

Original spelling:

Subject: Invoice Office

Content: In the attachment I am sending an invoice to the order placed.

Please be advised that the attached document is an invoice within the meaning of the Act of 30/05/2018 on tax on goods and services. It can be stored in electronic or paper format after printing.

Regards,

Torbus Urszula

Broagra Sp. z o. o

Fraud law office

In the attached message there is a packed file Fa_2018333.rar , and in the middle there is a bad imitation of the invoice, which does not even have an Adobe icon, so recognizable among non-technical users.

Running the Fa_2018333.vbs file executes the malicious code through the wscript.exe process, which communicates with the server with the IP address 172.245.158.165 located in the United States. Next, depending on various factors, the virus tries to create the powershella scripts and run them - in turn these create the% programfiles% file that will be added to the autostart. The malware will be launched every time the computer is turned on and, depending on the system, it communicates with the server. Final malware may contain the most dangerous form, i.e. a banking Trojan or a backdoor.

Cheater trying to impersonate Broagra Sp. z o. o. under the pretext of an invoice for the order placed. In the subject line "Faktura Kancelaria" tries to create the impression that the message was sent by a law firm - but from a very strange email address [email protected] . Under the subdomain banolli.nazwa.pl, there are still foundations left by the administrator of the Banolli.pl restaurant website. The crook tries to impersonate this company's e-mail address.

Traditionally, spam is sent from the servers name.pl:

ady48.rev.netart.pl 77.55.102.48 

The spamer to the nazwa.pl server logs in from the IP address:

37.252.9.159 

.VBS file hack after unpacking the .RAR attachment:

eaae5a0f17d0fb143186c9659d8adfb4b7d8d142050e286023acd6568fbbf91a 

Potential attachment names:

Fa_2018333 

Attempts to impersonate e-mail addresses:

[email protected] 

We recommend all our readers our guide on securing computers with Windows . We describe step by step how to protect yourself against malicious attachments. Thanks to these tips, this kind of malware will not be a threat to anyone.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.