A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer.

A recent sample of this campaign was shared with BleepingComputer by security researcher Yves Agostini, which was identified as installing AZORult and Hermes 2.1.

These spam emails have a subject of "Invoice Due" and pretend to be about outstanding balances that contain a Word document attachment called Invoice.doc as shown below.

Malspam with Fake Invoice Attachment
Malspam with Fake Invoice Attachment

These Word document attachments are password protected in order to make it more difficult for antivirus vendors to detect them as malicious. The password for these attachments are given in the malspam and in the case above, the password is 1234.

Document asking for a password
Document asking for a password

Once a recipient enters the password, they will be greeted with the Enable Content prompt. For those who are not familiar with this button, once you click on it, Word will enable Macros or other embedded scripts, which would then be executed.

Enable content
Enable content

In this case, when you click on Enable Content, the AZORult Trojan (azo.exe) will be downloaded and executed, which will then download and execute the Hermes 2.1 Ransomware (hrms.exe).

Fiddler showing download of malware
Fiddler showing download of malware

The Hermes 2.1 Ransomware will be executed first and encrypts the files on a computer. This particular ransomware does not change the filenames, so the only way you would you know you are infected is by spotting the DECRYPT_INFORMATION.html ransom notes as shown below.

Hermes 2.1 Ransom Note
Hermes 2.1 Ransom Note

As always, beware of fake invoices or other unknown attachments. Furthermore, never open an attachment unless you are expecting it from the sender and have confirmed that they actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with.

Related Articles:

The Week in Ransomware - August 24th 2018 - Hermes, Fox, and Ryuk

Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge

AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims



Hermes 2.1 Ransomware: 416235b085b6b86640cac3a78f0bd52583eed7154fc3666f5338bde96db10fab
AZORult: 6ef12546c720ca40303dbf1ec391c967e5e0446c1e719d44001d3dcd2c2b8460

Malspam Message:

Subject: Invoice Due

This is to inform you that there is still an outstanding payment of  $12,340 USD. We would appriciate it if this could be settled no later  than the 20th.

I have attached the current invoice and the password for the document is: 1234

Thank you.

Federico Crowley