Beware of Spam with Fake Invoices Pushing Hermes 2.1 Ransomware and AZORult

[vissha]

A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.

 

A recent sample of this campaign was shared with BleepingComputer by security researcher Yves Agostini, which was identified as installing AZORult and Hermes 2.1.

 

 

 

These spam emails have a subject of "Invoice Due" and pretend to be about outstanding balances that contain a Word document attachment called Invoice.doc as shown below.

Malspam with Fake Invoice Attachment

These Word document attachments are password protected in order to make it more difficult for antivirus vendors to detect them as malicious. The password for these attachments are given in the malspam and in the case above, the password is 1234.

Document asking for a password

Once a recipient enters the password, they will be greeted with the Enable Content prompt. For those who are not familiar with this button, once you click on it, Word will enable Macros or other embedded scripts, which would then be executed.

Enable content

In this case, when you click on Enable Content, the AZORult Trojan (azo.exe) will be downloaded and executed, which will then download and execute the Hermes 2.1 Ransomware (hrms.exe).

Fiddler showing download of malware

The Hermes 2.1 Ransomware will be executed first and encrypts the files on a computer. This particular ransomware does not change the filenames, so the only way you would you know you are infected is by spotting the DECRYPT_INFORMATION.html ransom notes as shown below.

Hermes 2.1 Ransom Note

As always, beware of fake invoices or other unknown attachments. Furthermore, never open an attachment unless you are expecting it from the sender and have confirmed that they actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with.

 

IOCs

Hashes:

Hermes 2.1 Ransomware: 416235b085b6b86640cac3a78f0bd52583eed7154fc3666f5338bde96db10fab
AZORult: 6ef12546c720ca40303dbf1ec391c967e5e0446c1e719d44001d3dcd2c2b8460

Malspam Message:

Subject: Invoice Due

This is to inform you that there is still an outstanding payment of  $12,340 USD. We would appriciate it if this could be settled no later  than the 20th.

I have attached the current invoice and the password for the document is: 1234

Thank you.

Federico Crowley  

 

Source

[knowledge-Spammer]

 when u get things like this u have to think y they give u the pass 1234  if smart people not use the pass then u is fine not smart people then good luck

[lurch234]

14 hours ago, knowledge said:

not smart people then good luck

 

If I had a business, I wonder what should I be more worried about. Employees stealing or employees opening any kind of email

[knowledge-Spammer]

8 minutes ago, lurch234 said:

 

If I had a business, I wonder what should I be more worried about. Employees stealing or employees opening any kind of email

 maybe both   in this topic the pass 1234 is what can save u