New Javascript ransomware: recent bill


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “recent bill”.

This email is send from the spoofed addresses and has the following body:

Dear ****.*****,

Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email me.

Best regards
Emile Weaver
Executive Director Finance & Information Systems

Dear ****.****,

Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email me.

Best regards
Harland Sargent
Executive Director Sales Account Management Training Performance Support

The attached file ronnie.gjumlich_document_37FD47.zip contains the folder ronnie.gjumlich_document_37FD47 with the extracted files c75f070.js and i.

The malware is detected by 3/56 AV engines at Virus Total.

The Javascript is readable and there is an HTTP GET command for the following URL in a Wscript.Shell: hxxp://spasupplyexpert.com/b3osa

Analysis on Malwr shows screenshots that indicated that your files are encrypted and thus this is ransomware that is being downloaded.

The malware b3osa is detected by 3/56 AV engines at Virus Total and the analysis is available on Malwr.

Note that the file names of the ZIP archive, the folder and the files may vary with combinations letter/numbers and/or parts of the recipients email address.

One thought on “New Javascript ransomware: recent bill

Comments are closed.