Fake Payment Message Leads to Malware Infected ZIP File Download

Relying on the fact that people want to know what they’ve purchased, particularly if the purchase is unexpected, attackers often use a payment notice to prompt action. In this attack, the recipient is informed that the details of their recent (unspecified) payment are attached and provided a password to open a corresponding ZIP file. 

This email can be particularly effective because it does not contain a brand name or any distinct information about the payment, forcing the victim to open the attachment if they would like to understand what they supposedly purchased. Once they click the link and provide the password to the file, the user has installed malware on the computer. Emotet, Qakbot, and other trojans are often passed in this manner, allowing it to be a foothold for other attacks like Ryuk ransomware.

The attacker has encrypted malware using a random password, which is done in order to change file signatures, so that the malware is always a never-before-seen malware attachment for threat intelligence-based solutions. Further, because the file is password protected, legacy solutions have difficulty scanning it for malware. Including the password in the email allows it to be easily accessible to humans, but hard for automated systems to decrypt. 

To understand that this is a malicious file, content analysis is required to detect both the presence of the link as well as the password for opening the link. Further context around the domain, recipients, departments, and normal communications are helpful to flag suspicious content. Understanding these behavioral systems is required to avoid false positives for this type of attack. 

If the target were to open this file and enter the password, malware is likely to be installed on the device. From there, attackers can complete a variety of other attacks related to ransomware, data theft, and more.