Posted September 25, 2014
By Robert Simmons, Cyveillance Security Manager and Sr. Technologist
There’s a new variant on the old theme of a fake voicemail message circulating in the wild right now. The subject of the email is “You have a new voice,” and parts of the message, such as the line purporting to state the “Receiving machine ID” and the “reference number”, are dynamically generated by the botnet sending the spam emails.
The link in the email does not lead to a drive-by attack, but it does lead to a file named VoiceMail.zip, which contains a Windows executable named VoiceMail.scr. This file is a Trojan downloader that drops a variant of the Dyre banking trojan. An interesting aspect of this Trojan downloader is that it has five Romanian language PE resources. This particular Trojan has been in the news lately because its configuration has been changed to target corporate data outside of just banking information. Specifically it has been configured to steal data from salesforce.com.
As always, the safest course of action is to delete strange or unusual emails. And if you have a voicemail system that forwards messages to email, check with your administrators for how to identify legitimate messages.
Cyveillance Security Labs focuses on malware and sophisticated technical threat actors, including their tactics, techniques and procedures (TTPs). Learn more here.