Fake BT bill carries ransomware-delivering trojan

ESET Ireland warns that the nasty Nemucod malware is back as the malicious payload of a fake BT bill.

At ESET Ireland we’ve been informing the public about Nemucod for a while. About a year ago it was one of the prevalent malware infections in Ireland with a 50,42% detection rate, while the global average was only 15,82%.

It all starts with an email, appearing to come from BT with the subject “New BT Online Bill”, equipped with all the correct logos and graphics. The content of the email says:

bt.jpg

Curious about what the “bill” is about, people would click the link, which would immediately ask them to download a file called BT_bill.js, while the text of the message makes an excuse why a PDF file is not available. As most people have file extensions hidden by default, most would fail to realise the .js stands for JavaScript, which, if clicked, would immediately install a malware that ESET detects as JS/TrojanDownloader.Nemucod.CYJ trojan.

This malware doesn’t do much direct damage itself, but it starts downloading other, more serious malware, which includes everything from ad-clickers and ransomware to banking trojans.

ESET Ireland urges extreme caution with such emails and avoiding clicking any links or attachments they contain.

by Urban Schrott, ESET Ireland and
Ciaran McHale, ESET Ireland


One thought on “Fake BT bill carries ransomware-delivering trojan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s