Although there is no known reason why, researchers suspect that a phishing campaign leveraging the NetWiredRC Trojan is targeting the hotel industry. Financial departments of the targeted business are receiving emails that claim they have arrears that must be paid down. Included with the email is a Zip file that is said to withhold the bills that are owed by the target company. However, when the Zip file is clicked it places a shortcut which contains the malware onto the target system. The shortcut icon is disguised as a bill to make it even less noticeable to an unsuspecting eye. The Trojan is then downloaded from the address “http[:]//13.67.107.73:80/amtq/out-441441271.ps1” by way of the shortcut. Researchers added some insight on the deployment of trojans, “Out-441441271.ps1 is the releaser Trojan, which will release a .NET Trojan psd.exe after execution. Psd.exe is multi-layered and obfuscated.” NetWiredRC can steal information stored in IE, Comodo Dragon, Yandex, Mozilla Firefox, Google Chrome, Chromium, Opera browser, Outlook, Thunderbird, SeaMonkey, and other mail clients. Additional capabilities include getting a file directory structure, capturing disk information, taking a screenshot, simulating mouse and keyboard clicks, creating processes, getting system version information, copying, reading, writing and deleting files, and getting the network connection status.
Analyst Notes
As always, users should not open emails that come from unknown senders. As for unknown security files, users should disable macros which would prevent macro virus intrusion. Always install patches when available, and utilize antivirus software to detect when unwanted programs are downloaded on a machine.
