Sponsored by..

Thursday, 4 February 2016

Malware spam: "More scans" / admin@victimdomain.tld / DOC201114-201114-001.js

This terse spam appears to originate from within the victim's own organisation, but it does not. Instead it is a simple forgery with a malicious attachment:

From:    admin [admin@victimdomain.tld]
:    4 February 2016 at 08:17
Subject:    More scans
Attached is a file DOC201114-201114-001.js which comes in a variety of different variants. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run.


FoxIII said...

I've had the same email myself. I was wondering whether I should contact my hosting company about it?

Tyler Anderson said...

These guys got me :( How do I get rid of this ?

Frank J C said...

Got it yesterday and was concerned for my site (assumed origination) but found no evidence of hacking. Then found this page. Never downloaded or opened the file on my system. It looked like a javascript file. I did open that in another browser window. But I think I was on the Linux side of my system at that time. Searched both sides of system with no results. I guess I am safe.