1 Fake Visa notification email in russian So it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.įig. This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open. This is to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection.
Spam mails containing password-protected archives, which usually also contain the malicious file, has become very common.
For some reason, this archive also contains the said document. The attachments include a malicious RTF document with the filename “ Изменения в системе безопасности.doc Visa payWave.doc” and an archive (same filename) protected by a password that is included in the email’s body. The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. Fake Visa Notification Targets Russian Speakers Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.Īnd as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike. Only a few days after FortiGuard Labs published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882.