Annamaria Montagnese 05 May 2016 16:43:37 AEST 3 MIN READ

New AusPost Attack: Scammers Change Tactics – From Crypto Ransomware to Trojan Malware

Cyber criminals have crafted an almost identical email to previous and very recent phishing runs impersonating AusPost.

This time around they are not linking to a remote website that contains ransomware. Instead, the emails contain .jse (JavaScript) files as attachments that once opened, install a Trojan designed to steal banking credentials and cached logins from your browser.

MailGuard have identified and blocked a large number of these scam emails that are purporting to be from Australia Post, but this time with the new payload.

First to stop new attacks, MailGuard is consistently between 2 hours and 48 hours ahead of the market in preventing fast breaking attacks. Most on-premise or hybrid anti-virus vendors require software updates across multiple instances, which can take hours or even days, leaving clients vulnerable.

This type of email scam is most commonly used to propagate ransomware and is not so common for delivering Trojan malware.

Here is a sample of the standard email scam impersonating AusPost:

MailGuard_AusPost_Email_Scam_Screen_Shot_Scam_Delivering_Trojan_Malware_5_May_2016.jpg

The email is not personally addressed to the recipient but does suggest there is an action required by the recipient, which is to open the attachment.

The classic use of JavaScript is for websites to facilitate client side logic and rendering via the browser. The cyber criminals have made use of the file type associations that Microsoft Windows makes between JavaScript files and Internet Explorer, where Windows will pass the JavaScript file to be executed by Internet Explorer.

The JavaScript (.jse) attachment when executed, downloads the final payload (a Trojan) from a remote location.

Future variants on this campaign could be comprised of any file types that Windows associates with Internet Explorer, Microsoft Edge, or any set of instructions that could be executed by an application when passed to it.

Speculation about the reason for the change in tactics varies, from:

1) The criminal group responsible for malware delivery being different to those behind previous campaigns. Remember these spam campaigns are most probably facilitated by multiple cybercrime networks that are hired out to perform various functions.

2) The spammers attempting to push Trojans as a way to diversify their revenue sources.

3) Ransomware being less profitable than it was in the recent past, and

4) Trojans, which allow spammers full control over the target PC, carrying further instructions to execute a future spam campaign - effectively turning the victims of the current campaign into unwitting participants in the next.

Why is Trojan malware dangerous?

Trojans sit quietly in the background, and will take actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

This type of malware is most dangerous because the user may not notice it running in the background until such time they are made aware – this can sometimes be weeks or even months after the event.

The fact that a server is also installed on the machine means other criminal activities can be initiated from the machine on behalf of the criminals.

Protection against email scams

Find tips on how to protect your business against email scams by subscribing to MailGuard’s blog.

Adding a cloud-based email filtering solution will prevent scams like these from reaching your inbox and getting in front of your team.

 

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top