In a spam campaign that we have been seeing at the end of the year, malware actors were sending out Courier Delivery Notification themed e-mails to lure users into falling prey to the infamous CryptoWall ransomware.
These attached zip files in these e-mails contained malicious javascript files, which were lamely disguised as doc files, used the following filename format: [CourierName_][ID_]<NumericID>.doc.js
The malicious javascripts were detected by CYREN as either JS/Nemucod.B.gen, JS/Nemucod.D.gen or JS/Nemucod.D!Eldorado – and they commonly arrived obfuscated and written in a single line to evade detection and to also hide its malicious intent as shown in the following variants:
Once deobfuscated, these malicious javascripts commonly contained a list of URLs, where they attempt to download variants of the infamous Cryptowall Ransomware, which Cyren detected as W32/Crowti variants.
Upon successful download, the malicious javascript immediately executed the downloaded executable, which encrypted files in the affected system and prompted the user upon logon with instructions on how to pay ransom.
This behavior of the Cryptowall Ransomware family might eventually have rendered a system unusable leaving the affected users desperate to get back their important files.
Always keep your system updated
We strongly advise users to be vigilant in opening emails from unknown senders. Always be mindful of the files you are opening from attachments since even valid document files can contain exploits that carry nasty payloads which can harm not only your system, but also your valuable data. It is very important to keep your system always updated to prevent known exploits from running.
If you have recently shipped something or is expecting a shipment from a known courier, we recommend you to use the courier’s official online tracking system instead to avoid having to open malicious e-mails from cyber criminals.
As always keep your AV product definition files updated to keep your system protected from malware.