Malspam Campaign

A new malspam campaign distributes emails referencing outstanding payments and containing a password-protected document named Invoice.doc; the document password is usually contained in the body of the email. Password protecting the document makes it more difficult for anti-virus vendors to detect the attachment as malicious. After a victim enters the password to open the document, they are instructed to enable macros. Once enabled, the AZORult information-stealing trojan executes and subsequently downloads and executes the Hermes 2.1 ransomware, which then begins encrypting files on the victim’s system. The NJCCIC recommends all users be aware of invoice-based email scams and avoid clicking links or opening attachments in unsolicited or unexpected emails.