‘General Liability & Workers Compensation Insurance’ Email Contains Javascript Malware

Email purporting to be from Pacific Pathways insurance brokers claims that an attached file contains a General Liability & Workers Compensation insurance quote request packet.

Brief Analysis:
Pacific Pathways is a real insurance company, but it did not send this email. The email’s .zip attachment contains a malicious JavaScript (.js) file that, if opened, can download and install malware.

Subject: General Liability & Workers Compensation InsuranceGood morning,I reached out a few months back with regards to your commercial insurance needs. I wanted to check in to see if now is a good time to quote any line of insurance?I have attached my quote request packet for your convenience. Please feel free to call with, email or fax the requested information and I will get right to work on your quotes.

Workers compensation carriers require 4-5 years loss runs (IF APPLICABLE), if you can please forward those my way as well.

Thank you,
[Name Removed]

Attached File: PPI QUOTE REQUEST_55691413.zip

Detailed Analysis:
According to this email, which claims to be from Pacific Pathways insurance brokers and includes the company’s logo and contact details, you can read a ‘quote request packet’ by opening an attached .zip file. The email has the subject line General Liability & Workers Compensation Insurance and claims that the sender ‘reached out a few months back with regards to your commercial insurance needs’.

However, Pacific Pathways did not send the email and the attached file does not contain insurance documents. Instead, the attachment contains malware.

If you open the attached .zip file, you will find that it contains a JavaScript (.js) file. If you then click the .js file, the malicious JavaScript will contact a web server and then download and install malware on your computer. The intent of this malware may vary in different versions of the email.  The malware may steal sensitive information such as banking passwords from your computer. Malicious JavaScript files are also currently being used to download and install Locky malware.

This attack is aimed at businesses in the hope that a busy or inexperienced staff member may open the attachment in the mistaken belief that it really contains a work-related insurance quote.

Details, such as the name of the person who supposedly sent the email and the attachment name may vary in different versions of the message. If you receive one of these emails, do not open any attachments or click any links that it contains.

Keep in mind that such malware campaigns often use the names and logos of genuine companies such as Pacific Pathways to make their claims seem more credible.  The targeted companies are also victims of these criminals and are in no way responsible for malware attacks made in their names.

Malware Bomb

Last updated: April 23, 2016
First published: April 23, 2016
By Brett M. Christensen
About Hoax-Slayer

General Liability & Workers Compensation Insurance pacificpathins.com – JS malware
Malware Threat Articles