Threat Intelligence Blog

Posted September 25, 2014

By Robert Simmons, Cyveillance Security Manager and Sr. Technologist

There’s a new variant on the old theme of a fake voicemail message circulating in the wild right now. The subject of the email is “You have a new voice,” and parts of the message, such as the line purporting to state the “Receiving machine ID” and the “reference number”, are dynamically generated by the botnet sending the spam emails.


The link in the email does not lead to a drive-by attack, but it does lead to a file named, which contains a Windows executable named VoiceMail.scr. This file is a Trojan downloader that drops a variant of the Dyre banking trojan. An interesting aspect of this Trojan downloader is that it has five Romanian language PE resources. This particular Trojan has been in the news lately because its configuration has been changed to target corporate data outside of just banking information. Specifically it has been configured to steal data from

As always, the safest course of action is to delete strange or unusual emails. And if you have a voicemail system that forwards messages to email, check with your administrators for how to identify legitimate messages.

Cyveillance Security Labs focuses on malware and sophisticated technical threat actors, including their tactics, techniques and procedures (TTPs). Learn more here.

Additional Posts

New Vulnerabilities Galore: Bash Bug and Firefox NSS Issues Hit the Web

By Robert Simmons, Cyveillance Security Manager and Sr. Technologist A number of security experts ...

Five Signs It’s Time to Upgrade Your Cyber Threat Intelligence Solution

    1. You have no services or tools monitoring for potential threats outside of your ...