Everyone hates getting bills, and with each new one it seems like the amount due just keeps getting higher and higher. However, Symantec recently discovered an energy bill currently being emailed to people that will hit more than just your bank account.
A recent spam campaign sending out emails masquerading as an Australian energy company is serving up the Cryptolocker malware…or at least that’s what the spammers want you to think. Once users become infected, they are told they are infected with Cryptolocker (Trojan.Cryptolocker) however, upon further research, Symantec discovered that the malware is not related to the original Cryptolocker virus and is merely a copycat attempting to cash in on the hype and infamy of Cryptolocker.
Energy bill gives users a shock
This particular spam campaign requires a lot of work from the victim to work but once it does, the user’s files will be encrypted and all the spammers have to do is wait for their ransom payment.
To infect users with the crypto malware, the spammers use a fake bill to lure recipients to a malicious website; however, the malware is not hosted here and it is just an evasive manoeuvre to evade any link-following technologies.
The email appears to be a legitimate electronic bill from an Australian energy company, complete with a balance outstanding. The recipient just has to click a link to view their bill.
Figure 1. Energy bill spam email
Once the link is clicked the user is directed to a website that appears to be a CAPTCHA entry page, but the numbers never change. Once the user enters the fake CAPTCHA and hits submit, they are directed to the next page, which contains a link to download the energy bill.
Figure 2. Fake CAPTCHA page
Figure 3. Download page
Clicking on the download link will save a zip file to the user’s computer. The folder contains an executable file disguised with a PDF icon in an effort to trick unsuspecting users into opening it. Opening this malicious file will cause all files on the compromised computer to be encrypted. Following this, a text file opens, informing the user that they have been hacked and that they must send an email to a specific address in order to get their files decrypted.
Figure 4. Text file
Figure 5. Notification of compromise
The malware also checks to see if Outlook or Thunderbird is installed on the compromised computer and, if so, harvests the email addresses in the user’s contact list. The addresses, which are presumably used to further spread the malware, are uploaded to the following remote location:
[https://]royalgourp.org/[REMOVED].php
Protection
Symantec advises users to be cautious of emails that request new or updated personal information. Users should also avoid clicking on links in suspicious messages.
Symantec detects this malware as Trojan.Cryptolocker.F