Thursday, 18 May 2017

Fake BT bill carries ransomware-delivering trojan


ESET Ireland warns that the nasty Nemucod malware is back as the malicious payload of a fake BT bill.

At ESET Ireland we’ve been informing the public about Nemucod for a while. About a year ago it was one of the prevalent malware infections in Ireland with a 50,42% detection rate, while the global average was only 15,82%.

It all starts with an email, appearing to come from BT with the subject “New BT Online Bill”, equipped with all the correct logos and graphics. The content of the email says:

“Your bill amount is: 376.03 GBP. This doesn't include any amounts brought forward from any other bills.
We've put your latest BT bill for you to view. See your bill here.
The PDF version of your bill might not be available for download yet. It can take up to 48 hours.
We'll take your payment from your account as usual by Direct Debit.”

Curious about what the “bill” is about, people would click the link, which would immediately ask them to download a file called BT_bill.js, while the text of the message makes an excuse why a PDF file is not available. As most people have file extensions hidden by default, most would fail to realise the .js stands for JavaScript, which, if clicked, would immediately install a malware that ESET detects as JS/TrojanDownloader.Nemucod.CYJ trojan.

This malware doesn’t do much direct damage itself, but it starts downloading other, more serious malware, which includes everything from ad-clickers and ransomware to banking trojans.

ESET Ireland urges extreme caution with such emails and avoiding clicking any links or attachments they contain.

The full story with screenshots is available on ESET Ireland’s official blog.