A wave of malicious VBScript may lead to financial fraud

January 22, 2016

The Dell SonicWALL Threats Research team has observed a recent wave of malicious VBScript files targeting the Portuguese-speaking population. These files arrive as attachments to emails purporting to be important bank documents.

Infection Cycle

The file arrives as a zip file attachment to an email.

Figure 1: Spam email with a malicious zip attachment

The archive contains a file with a .vbs or .vbe file extension with names such as the following:

Figure 2: Malicious VBScript filename examples

Upon execution the malware makes a DNS query to the following domains:

Figure 3: DNS queries made to random domain names in attempt to contact the remote server

It then downloads additional malicious files:

Figure 4: HTTP GET request made by this malware

It also tried to connect to another remote server possibly to send information out. But at the time of analysis, that server appeared to have already been taken down.

Figure 5: TCP connection requests made to abuse-sinkhole.changeip.net

Our statistics show that countries with Portuguese-speaking population are the main target of this attack with Brazil being hit most, followed by Portugal, US, Uruguay and Spain. The signature hits show a clear upward trend in the number of infections detected over the past week.

Figure 6:Firewall hits per country

Figure 7: Daily signature hits

Overall, this Trojan is capable of downloading additional malware into the victim's machine. It can also send sensitive information out to a remote server. We urge our users to always be vigilant and cautious with any unsolicited emails specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Download.VBS (Trojan)