14 DAY TRIAL // Email purporting to inform of a new voicemail message has been discovered to include a malicious attachment that downloads the Dyre banking Trojan when opened.
This is not a new type of scam, but a variant of an old one that claimed to deliver voice messages for different online services.
Cybercriminals included a link leading to a malware dropper, which, according to security researchers, has five Romanian PE (Portable Executable) resources and downloads a strain of the Dyre banking Trojan.
Also known under the name of Dyreza, the malware was discovered in June and has been seen to be used in various attacks, the most notorious one targeting customers of cloud-based CRM provider Salesforce.
It has also been employed in phishing emails claiming to be from different financial institutions, including JP Morgan.
The malware relies on the man-in-the-middle (MitM) technique to hijack the connection between the client and the server, routing it through the cybercriminals' infrastructure, thus allowing access to the information exchange between the two parties.
The subject line of the email from the recently observed attack reads “You have a new voice” and parts of message body (reference number and receiving machine ID) are generated automatically by the botnet distributing the emails, Robert Simmons, security manager at cyber intelligence company Cyveillance, says in a blog post.
The malware dropper is enclosed in a file named VoiceMail.zip that allegedly offers access to the voice message; however, it contains the Windows executable file VoiceMail.scr, which, when launched, downloads the Trojan and compromises the computer.