New Javascript ransomware: “Additional Information Needed #*****”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Additional Information Needed #*****” (with different numbers).

This email is send from the spoofed addresses and has the following body:

We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.

The attached file is a ZIP archive containing parts of the recipients email address in combination with words like “copy” or “invoices” plus a random number.

These unzip into a folder called “letter” to give a .js file beginning with “letter_” and a .wrn file which also appears to be a script but which won’t run by default.

The malware is detected by 1/56 AV engines at Virus Total.

Additional malware/ransomware can be downloaded from the following locations:

hxxp://cainabela.com/zFWvTM.exe
hxxp://downloadroot.com/vU4VAZ.exe
hxxp://folk.garnet-soft.com/jDFXfL.exe

The malware is detected by 7/56 AV engines at Virus Total and the analysis is available on Malwr,

One thought on “New Javascript ransomware: “Additional Information Needed #*****”

Comments are closed.