14 DAY TRIAL // Fake emails are a common attack vector for cybercriminals. Crafted carefully, these can deal significant damage to the victim. In a recent observation, crooks target premium LogMeIn users by delivering them a fake invoice document, which is actually a malware dropping tool.
The message appears to come from LogMeIn’s auto-mailing system, and the subject line informs that it includes an invoice for the service. It informs the potential victim that the Pro subscription for the service is due on a specific day and that an invoice has been generated.
The amount that has to be paid is $473 / €347, which may seem quite large for the regular user, but this should raise no suspicions to a business that purchased a one-year LogMeIn license for ten computers.
To increase the potential victim’s trust in the legitimacy of the email, the cybercriminals provide a link to the LogMeIn support page and to what should be an address with the online invoice.
However, none of them works and the user has to download the invoice from the attachment. It is a ZIP compression containing “lgm_payment_invoice.pif,” an executable file that connects to a remote location in order to download the information-stealing malware.
The threat is identified differently by the antivirus engines available on VirusTotal, but most of them agree that it is a threat.
ESET’s threat encyclopedia, Virus Radar, says that it can also serve as a backdoor, as it can be controlled from a remote computer, and that it relies on rootkit-related techniques.
The malware creates the necessary registry keys to start the operating system, injects a few processes and uses them to run a new thread with its own code.
According to information from ESET, some variants of the Trojan have the capability to distribute through removable drives by copying themselves into the root folder.
Since it is in contact (via HTTP) with a command and control server, the malware can receive instructions, as well as be sent new executable files to run on the victim’s computer.
Moreover, the details on VirusRadar indicate that cybercriminals can use it to monitor the network traffic, start and stop services, as well as to perform denial-of-service attacks.
Before opening a file attached to a suspicious email, it is best to check it for malicious components. Online services such as VirusTotal or Jotti do not take long to verify the item and can provide useful information about the risk a file may present.