Password-Protected Zipped File Spammed to Deliver POWLOAD and EMOTET

 Analysis by: Maria Katrina Udquin

Since the start of April, we have observed numerous spam emails written in different languages. These spam messages claim that the user's invoice is attached in the mail. The attachment is a password-protected ZIP file that contains a trojan downloader detected as variants of Trojan.W97M.POWLOAD. The user is enticed to open the attachment as the four-digit password for the zip is included in the message. Upon execution of the doc file, it uses PowerShell to download an executable with a filename containing three random numbers. This executable is detected as TrojanSpy.Win32.EMOTET.SMA. EMOTET is known to mostly be delivered via spammed messages.

It is highly recommended to refrain from opening emails that are not from your trusted sources. Anti-spam filtering for your networks and from web-based email providers do a good job of filtering out spammed messages like this.

 SPAM BLOCKING DATE / TIME: April 06, 2019 GMT-8
  • ENGINE:8.0
  • PATTERN:4536