Message appears to be delivered from Intuit, contains malware

Aug 2, 2014 18:33 GMT  ·  By

A new spam campaign leveraging Intuit brand name has been spotted to deliver messages with CryptoWall malware attached claiming to be the copy of a remittance file.

The message comes with the subject “Payroll Received by Intuit” and informs that the payment proof has been attached, inciting users to open it.

The item in the attachment is a ZIP archive, which contains an executable with the name “Remittance.exe.” Conrad Longmore from Dynamo’s Blog uploaded the file to VirusTotal service where the detection rate was 9/53.

Further investigation, which led to an analysis from Threat Track, revealed that the malware sample was actually a variant of CryptoWall ransomware, which, once infecting a computer system, proceeds to encrypt specific file types, including DOC, XLS, and TXT, videos and images.

CryptoWall is known to be distributed via spam email, and it is believed that it was released around April this year as part of an exploit kit called RIG. At first, the prevalent attack vector were advertisments served on numerous websites.

The spam message caught by Longmore appears to be very elaborate, providing instructions with a deadline and using a language that would incite potential victims to check the matter in detail.