Fake New BT Online Bill malspam delivers Dridex banking trojan

Haythem Elmir

Continuing with the never ending series of malware downloaders is an email with the subject of New BT Online Bill pretending to come from BT but actually coming from a look-a-like or typo-squatted domain BT Business <noreply@bt.connectionsc.com> delivers Dridex Banking Trojan.

BT has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services that can easily be confused with the genuine organisation in some way.

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

There is a link in email body to https://educationcentreofaustr-my.sharepoint.com/personal/sanjay_eca_edu_au/_layouts/15/guestaccess.aspx?docid=05ab57c699280416f99ea36b5f6abcd2b&authkey=AcKb-ARfpB-jWOggqBdrwaQ&expiration=2017-12-20T09%3A40%3A38.000Z&e=47b850c3d69449a58a462346f9dd3bb3  where a zip containing a .js file is downloaded

You can now submit suspicious sites, emails and files via our Submissions system

Remember many email clients, especially on a mobile phone or tablet,  only show the Name in the From:  and not the bit in <domain.com >. That is why these scams and phishes work so well.

bt_business_bill.zip : Extracts to: bt_business_bill.js  Current Virus total detections:  Hybrid Analysis | Anyrun Beta |

This malware downloads   from https://northernstevedoring-my.sharepoint.com/personal/ecahill_nsspl_com_au/Documents/PublicDocuments.share?slrid=901b369e-d0a4-4000-8fb1-f80c67bfb172 which gives lZp6ME3.exe

To read the original article:

Fake New BT Online Bill malspam delivers Dridex banking trojan

Laisser un commentaire

Next Post

Fake Amazon Marketplace invoice emails deliver ransomware via Necurs botnet

The Necurs botnet has changed again today and appears to be delivering yet another ransomware version. I think today’s malware is some sort of  ransomware but I am not 100% sure. I am seeing mixed results whether it is ransomware or Trickbot, so it could well be “one of them files” that […]