Fake job seeker’s emails deliver ransomware and info-stealer
The latest Cryptowall-delivery campaign comes with an additional menace: the Fareit Trojan, which is designed to steal logins and passwords from compromised computers, download additional malware, and can be used in DDoS attacks.
The campaign takes the form of spammed out messages impersonating a job seeker who’s sending in a resume. Judging by this, the malware peddlers have (temporarily?) decided to target companies.
The .ZIP file in question contains a JavaScript file (.JS), and this should raise some suspicion with the recipient. But, if it doesn’t, and they open it, the file will connect to two URLs to download what seem to be two .JPG files.
But they are not images – they are actually executables, and are executed automatically once they are downloaded. One is a Cryptowall 3.0 variant – as deadly as previous versions – and the other is a Fareit Trojan variant.
The ransomware encrypts files (documents, databases, emails, images, etc.), deletes their shadow copies so that victims can’t restore the files from them, and shows the ransom note asking for 500 euros or US dollars for the decryption key.
“While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets,” note Trend Micro researchers.
This is the first time that crypto-ransomware has been spotted being accompanied by spyware. The researchers posit that the cybercriminals have either become greedy or simply want to have a backup plan.
“Perhaps people are refusing to pay the ransom or they have become more savvy in protecting their files,” they noted. This way even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information.
Now, more than ever, users should be careful when evaluating the legitimacy of received emails, especially when they are unsolicited. Checking attachments with an (up-to-date) AV solution or submitting it to VirusBulletin before even thinking of opening it should be your default behaviour, and if your company has a dedicated IT or IT security department, asking them to check such an email for you is also a good idea.