New WSF malware in emails “Voice Message from Outside Caller”


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Voice Message from Outside Caller (2m 31s)”.

This email is send from the spoofed address “Peach Telecom <peach_necsv446@hotmail.co.uk>” and has the following body:

Voice Message Arrived on Friday, Aug 26 @ 8:50 AM
Name: Outside Caller
Number: Unavailable
Duration: 2m 31s
_________________
*****.BE SV9100 InMail

In each email, the duration time changes and domain of the recipient is included at the end of the message.

The attached file Outside Caller 08-26-2016 784036b.zip contains the file 08-26-2016 69tthi05.wsf which is a Windows Script File. Filenames of the ZIP archive and extracted WSF will change with each email as well.

The malware is detected by 9/56 AV engines at Virus Total. Malwr analysis shows that more malware will be downloaded from hxxp://digho.web.fc2.com/nb20gjBV?jNpfJetYR=wCNyEp. Other URLs may be used in different variants.