New Javascript email based threat masked as O2 billing invoice


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subjects like:

bill for O2
get Your O2 bill is ready
receive Your O2 bill
Your O2 bill is ready
Your O2 bill hasa been ready
Your O2 bill is already ready

This campaign is a variant on the DHL Delivery we spotted today.

This email is send from the spoofed address “xxxxx ” and has the following body:

Your O2 bill

Thanks for going on with O2

Good daytime, LYNN MILLER
Now you have your bill for 07/04/17 been ready. This month you have £248.53 for payment. We will take it away from your account at the payment day, or a bit after.

To check your latest bill online anytime and anywhere:
http://www.o2.co.uk/business/billing
(JsReport – JavaScript based reporting platform)

Please note that this email has been sent to you from an unmonitored email account so we will not be able to respond to any replies to it. This email is sent from Telefónica UK Limited. Telefónica UK Limited is authorised and regulated by the Financial Conduct Authority Reference Number 718822. Registered office: 260 Bath Road, Slough, Berkshire, SL1 4DX. Registered number: 1743099.

The embedded URL leads us to the host hxxp://gymgiovino.com/o2__co__uk__myo2__bill__email__8012412599/ where the file o2__co__uk__07__04__2017__O2_3713763345.js is downloaded. This obfuscated Javascript contains the necessary scripting to download other malware.

The malware is detected by 10/55 AV engines at Virus Total and the analysis is available on Malwr.

The downloaded file comes as 2253.exe from the host hxxp://inlinemedia.co.uk/download2063/ and is a Windows executable.

The malware is detected by 12/61 AV engines at Virus Total and the analysis is available on Malwr.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s