Continuing with the never ending series of malware downloaders is an email with the subject of New BT Online Bill pretending to come from BT but actually coming from a look-a-like or typo-squatted domain BT Business <email@example.com> delivers Dridex Banking Trojan.
BT has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services that can easily be confused with the genuine organisation in some way.
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
There is a link in email body to https://educationcentreofaustr-my.sharepoint.com/personal/sanjay_eca_edu_au/_layouts/15/guestaccess.aspx?docid=05ab57c699280416f99ea36b5f6abcd2b&authkey=AcKb-ARfpB-jWOggqBdrwaQ&expiration=2017-12-20T09%3A40%3A38.000Z&e=47b850c3d69449a58a462346f9dd3bb3 where a zip containing a .js file is downloaded
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
bt_business_bill.zip : Extracts to: bt_business_bill.js Current Virus total detections: Hybrid Analysis | Anyrun Beta |
This malware downloads from https://northernstevedoring-my.sharepoint.com/personal/ecahill_nsspl_com_au/Documents/PublicDocuments.share?slrid=901b369e-d0a4-4000-8fb1-f80c67bfb172 which gives lZp6ME3.exe
To read the original article: