Spammed-out malware campaign contains offensive hidden message for anti-virus CEO

There is no love lost between the people who write malware and the anti-virus companies who work hard to protect innocent users against them.

And occasionally that animosity spills out into the actual malicious code written by online criminals. Sometimes it might present itself in the form of code to attempt to avoid detection by a particular product, or techniques to avoid analysis in malware labs.

But sometimes… well, it just gets a lot more personal than that. And that’s what seems to have happened in a current malware campaign arriving in many users’ email inboxes today.

Here is what a typical malicious email looks like:

 

Subject: RE: Outstanding Account

Message body:

This is a reminder that your account balance of $5746.80 was overdue as of 28 April 2016.

Enclosed is a statement of account for your reference.

Please arrange payment of this account today or, if you cannot make full payment at this time, please contact us to make a payment arrangement that is mutually acceptable.

Regards,

Tonia Joseph

Sales Director

Have a nice day

The name and job title of the person contacting you is randomly chosen, as is the amount that you are being asked to pay and the date on which it became overdue.

Attached to the email is a .ZIP file (again, its precise filename varies) that contains the malicious payload.

The danger is, of course, that people who receive the email may click on the attachment (presumably in a mixture of outrage and confusion that they are being asked to pay a substantial amount of money) without thinking of the consequences.

For inside the ZIP is an obfuscated Javascript file which downloads further malicious code from the internet, designed to infect innocent victims’ PCs.

This isn’t an unusual disguise for online criminals to spread their attacks. In fact, these simple social engineering tricks have been proven to work time and time again – which is why it is so important for all computer users to exercise caution and be suspicious of unsolicited email attachments.

What makes this particular attack interesting, however, is if you take a closer look at the obfuscated Javascript inside the ZIP file.

Because it appears that whoever wrote the malware was unable to stop themselves from including an offensive message about Travis Witteveen, the CEO of anti-virus firm Avira, as well as a call-out to another security company – Vienna-based IKARUS Security.

 

“Travis Witteveen S**** N****’s c****”

Of course, neither of these companies are in anyway connected to the creation of the malware. It’s part of the job that all of us in the anti-virus industry get called names by online criminals from time to time. It’s part of the job and, to be honest, makes us feel like we must be doing something right!

VirusTotal reports that some anti-virus products are not yet identifying the malware, but Bitdefender security products detect both the ZIP and the .JS file as JS:Trojan.JS.Downloader.HU.