Fake BT bill carries ransomware-delivering trojan

ESET Ireland warns that the nasty Nemucod malware is back as the malicious payload of a fake BT bill.

At ESET Ireland we’ve been informing the public about Nemucod for a while. About a year ago it was one of the prevalent malware infections in Ireland with a 50,42% detection rate, while the global average was only 15,82%.

It all starts with an email, appearing to come from BT with the subject “New BT Online Bill”, equipped with all the correct logos and graphics. The content of the email says:


Curious about what the “bill” is about, people would click the link, which would immediately ask them to download a file called BT_bill.js, while the text of the message makes an excuse why a PDF file is not available. As most people have file extensions hidden by default, most would fail to realise the .js stands for JavaScript, which, if clicked, would immediately install a malware that ESET detects as JS/TrojanDownloader.Nemucod.CYJ trojan.

This malware doesn’t do much direct damage itself, but it starts downloading other, more serious malware, which includes everything from ad-clickers and ransomware to banking trojans.

ESET Ireland urges extreme caution with such emails and avoiding clicking any links or attachments they contain.

by Urban Schrott, ESET Ireland and
Ciaran McHale, ESET Ireland

One thought on “Fake BT bill carries ransomware-delivering trojan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s