In a new malspam campaign, attackers are sending fake order confirmation emails that mirror the likes of Amazon. Alternate subject lines like “Amazon order details” or “Your Amazon.com order” are being used to attempt to trick unsuspecting recipients of the emails. If the email is opened, the victim will see just the order number but will not be able to see what the order is or the details of the product. Instead, the user would need to click on the “Order Details” option which starts a download of the order_details.doc file. After the file has downloaded, the victim must select the Enable Content button and that sets off the PowerShell command which allows for the Emotet banking trojan to be downloaded and executed. The malicious files that are used are mergedboost.exe and Keyandsymbol.exe and they run unnoticed in the background, performing activities such as logging key strokes and gaining access to account information. Compromised servers in Columbia, Indonesia and the United States were being used in the campaign.
Analyst Notes
Users are always recommended to pay attention to grammar and spelling errors in emails. It is always safer to login to the site that you purchased the item from to check its status. If the email looks unfamiliar, do not open it and contact the distributor for confirmation that they sent the email.
