A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.
Svarer @yvesago @malwrhunterteam @benkow_— ⛧ ʲªͷ ҎΩΰⱠᶊἕא (@Jan0fficial) August 17, 2018
the document seems to drop a file called azo.exe (#Azorult )https://t.co/2hay2UVnxo
and a file called hrms.exe, which is Hermes #ransomware. https://t.co/uwfOKeO4bW pic.twitter.com/ASsiJ96p3z
These spam emails have a subject of "Invoice Due" and pretend to be about outstanding balances that contain a Word document attachment called Invoice.doc as shown below.
These Word document attachments are password protected in order to make it more difficult for antivirus vendors to detect them as malicious. The password for these attachments are given in the malspam and in the case above, the password is 1234.
Once a recipient enters the password, they will be greeted with the Enable Content prompt. For those who are not familiar with this button, once you click on it, Word will enable Macros or other embedded scripts, which would then be executed.
In this case, when you click on Enable Content, the AZORult Trojan (azo.exe) will be downloaded and executed, which will then download and execute the Hermes 2.1 Ransomware (hrms.exe).
The Hermes 2.1 Ransomware will be executed first and encrypts the files on a computer. This particular ransomware does not change the filenames, so the only way you would you know you are infected is by spotting the DECRYPT_INFORMATION.html ransom notes as shown below.
As always, beware of fake invoices or other unknown attachments. Furthermore, never open an attachment unless you are expecting it from the sender and have confirmed that they actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with.
Hermes 2.1 Ransomware: 416235b085b6b86640cac3a78f0bd52583eed7154fc3666f5338bde96db10fab AZORult: 6ef12546c720ca40303dbf1ec391c967e5e0446c1e719d44001d3dcd2c2b8460
Subject: Invoice Due This is to inform you that there is still an outstanding payment of $12,340 USD. We would appriciate it if this could be settled no later than the 20th. I have attached the current invoice and the password for the document is: 1234 Thank you. Federico Crowley