A wave of malicious VBScript may lead to financial fraud (Jan 22, 2016)


The Dell SonicWALL Threats Research team has observed a recent wave of malicious VBScript files targeting the Portuguese-speaking population. These files arrive as attachments to emails purporting to be important bank documents.

Infection Cycle

The file arrives as a zip file attachment to an email.

Figure 1: Spam email with a malicious zip attachment

The archive contains a file with a .vbs or .vbe file extension with names such as the following:

Figure 2: Malicious VBScript filename examples

Upon execution the malware makes a DNS query to the following domains:

Figure 3: DNS queries made to random domain names in attempt to contact the remote server

It then downloads additional malicious files:

Figure 4: HTTP GET request made by this malware

It also tried to connect to another remote server possibly to send information out. But at the time of analysis, that server appeared to have already been taken down.

Figure 5: TCP connection requests made to abuse-sinkhole.changeip.net

Our statistics show that countries with Portuguese-speaking population are the main target of this attack with Brazil being hit most, followed by Portugal, US, Uruguay and Spain. The signature hits show a clear upward trend in the number of infections detected over the past week.

Figure 6:Firewall hits per country

Figure 7: Daily signature hits

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server. We urge our users to always be vigilant and cautious with any unsolicited emails specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Download.VBS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.