“Last Few Months Utility Bills” Emails Contain Malware

Emails claim that an attached file contains copies of some utility bills that you have lost over the last few months.

Brief Analysis:
The emails are not legitimate business messages and the attachments do not contain any lost utility bills. Instead, the attachments contain malicious JavaScript files that, if opened, can download and install ransomware or other types of malware.

Subject: copies

Hi [name lifted from email address], [name removed] told me you have lost some of the last few months’ utility bills.
So, I am sending to you the copies saved in my computer. Let me know if I sent the right receipts.

Best Regards,
[name removed]

Detailed Analysis:
Emails that supposedly include copies of lost utility bills are currently hitting inboxes. The emails claim that someone told the sender that you had lost some utility bills from the last few months so he or she has attached saved copies of the missing bills.

However, the emails are not legitimate. If you open the .zip file attached to the emails, you will find that it contains a file with the extension “.js” (JavaScript). If you then click on this .js file,  malicious JavaScript will download and install malware on your computer.  The exact nature of this malware may vary in different incarnations of the emails. However, JavaScript is often used to install Locky ransomware. Once installed, this malware can encrypt all of the important files on your computer and then demand that you pay a fee to online criminals to receive the decryption key.

Malicious JavaScript has also been used to install trojans that can steal your Internet banking passwords and other sensitive information.

Both the name of the sender and the name of the person who supposedly told the sender about the missing utility bills appear to be randomly selected and will vary in different versions of the malware emails.

The emails attempt to personalise the messages by using the part of your email address before the “@” symbol as a greeting. This will often be the recipient’s name. So, it may appear at first glance that the sender has personally greeted the recipient and must know him or her.

Like many other recent malware attacks, this one seems to be deliberately targeting businesses and office staff. The criminals no doubt hope that at least a few busy office staff who receive the messages will open the attached file without due care and attention.

Malware on Binary Code Graphic

Last updated: September 7, 2016
First published: September 7, 2016
By Brett M. Christensen
About Hoax-Slayer

xxxxxxx told me you have lost some of the last few months’ utility bills malspam
Locky” ransomware – what you need to know
Malware Threat Articles