The emails with supposed invoices have become a very effective hook to carry out threats.
As an example of the large number of campaigns that are using the theme of invoices like hook, Eset is going to review some of the emails received in one of the email accounts designed to detect this type of campaign in Spain that they have in their laboratory. In less than twelve hours they have observed four different campaigns with invoices, budgets or proof of payment as a subject, which demonstrates the intensive use that criminals make of this subject.
In addition, among the detected campaigns we can distinguish several types, starting with those that attach a file to the email itself and that trust the user to download and execute it.
They have also observed another technique that, instead of attaching the supposed invoices, includes links or images of the documents with embedded links that download when the user clicks on them to preview them.
File download
In either of the two formats, the purpose of these emails is to get the user to download some type of file to the system and then run it.
Furthermore, criminals are aware of the high chances of detecting suspicious attachments if they are in traditional executable formats such as EXE. For this reason, they try to camouflage their threats inside compressed files or by using less common extensions, but which can also be executed on Windows operating systems.
Among the strategies used to camouflage the download of malware, we highlight the one that, for a few months, has been used by the Mekotio banking trojan in some of their campaigns. Instead of providing a link within the email or directly attaching the malicious file, some campaigns decide to use a PDF document with an embedded link that redirects to download the file responsible for the first phase of the malware.
