Fake Vodafone bill spreads trojan malware

ESET Ireland is warning Irish computer users to watch out for an email that pretends to come from Vodafone, but carries the Nemucod trojan.

ESET Ireland has come across another widely targeted malicious email. This one pretends to be a bill from Vodafone:


Clicking on the “Click here to view your bill” link downloads a ZIP file called “Vodafone bill.zip”


which in turn contains a JavaScript file called “Vodafone bill.js”


Because most Windows users have file extensions turned off by default, many fail to spot this is a JavaScript file, one of the very common vectors for the cybercriminals to deliver their malicious payloads.
Tip: Turn off “Hide extensions for known file types” in your Windows File Explorer Options.


The code is heavily obfuscated, but once activated, it proceeds to download the Nemucod trojan, which is used for further downloading all kinds of malware, ranging from ransomware to backdoors and banking trojans.

Ireland has been one of the countries worst affected by Nemucod in the past, having a 50,42% detection rate in Ireland, while the world average was 15,82%.

A similar email campaign, but using BT as bait, instead of Vodafone was active in May 2017.

ESET Ireland urges caution when receiving emails like these and avoiding clicking on unverified links or opening attachments downloaded from them.

Vodafone also offers several online security tips on their website, which can help spot and prevent falling victim to cybercriminal activity.

by Urban Schrott and Ciaran McHale, ESET Ireland


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s