水曜日, 3月 16, 2016

invoice迷惑メールに注意!

 

【要注意!】invoice迷惑メール

添付 JSファイルはダウンローダー! 

TeslaCrypt/Lockyランサムウェア感染

 



[ 2016年3月 更新 ]

Invoice(インボイス)”請求書” 、Payment ”支払い”
という件名が付いた英語表記の 迷惑メール(スパムメール) が日本国内のメールアドレス宛にたくさん届いているようです。
英語が分からなくても何かお金がらみの内容にビビってしまい、無視できないユーザーさんもいるようなので注意が必要です。



ちなみにメール以下のようなもの
件名 Invoice #[数字]
件名 Invoice #CS-[数字]
件名 Invoice
件名 Invoice Copy
件名 Transaction and Payment Confirmation
Dear Customer
{Please review the attached copy of your Electronic document.}
{The attached document is a transaction payment confirmation from GlobalMarketing Ltd.}
{Your invoice appears below. Please remit payment at your earliest convenience.}
{Please make sure you send payment for your parcel to avoid any inconvenience. Open the attached file to review the confirmation listing.}
Thank you for your business - we appreciate it very much.
件名 Your order #[数字] - Corresponding Invoice #[英数字]
Dear Valued Customer,
We are pleased to inform you that your order #[数字] has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your paymentpromptly. For your information, don't hesitate to check the invoice enclosed tothis letter or contact us directly.
件名 Invoice #[数字] from DataCorp Inc.
Dear Customer,
Reference nr. [数字]-[数字]
Our internal records show that you have an outstanding balance dating on youraccount. Previous invoice was for $[数字] and have yet to receive your payment.
You can find the copy of the invoice enclosed to this letter.
件名 Reference Number #[数字], Last Payment Notice
Dear Client,
This e-mail is pursuant to your contract with Foreman&Clark Ltd. for ourservices date November 15, 2015 for the amount of $[数字].
Your failure to pay asper the December 1, 2015 invoice equals to the breach of our contract.
件名 Payment Request, Ref. nr: [数字]/2015
Dear Valued Client,
The purpose of this e-mail is to follow up with you on a matter of your payment of invoice #[英数字] with a Ref. nr: [数字]/2015.
As of today, your outstanding past due balance is -$[数字], as detailed on the statement and account report attached to this e-mail.
件名 Payment Nr: [数字]/[英数字]
件名 Invoice #[数字]/[英数字]
件名 FW: Payment Declined PIN-[数字]

Dear Client,
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.
件名 Agri Basics invoice #[数字] and [数字]
Please find attached invoice #[数字].
Have a nice day

件名 Your order #[数字]
Dear ValuedCustomer,
This letter was sent to you as a formal notice that you are obligated to repayour company the sum of [数字]$ which was advanced to you from our company onOctober 16, 2015.
Please, find the invoice enclosed down below.
件名 Reference Number #[数字], Last Payment Notice
Dear Customer,
We regret to inform you that due to your unpaid debt amount of $[数字] to SandorInc., from November 31, 2015 we have passed your case to the court.
Your prompt attention is required to resolve this issue.
件名 Your account has a debt and is past due
Dear Customer,
Our records show that your account has a debt of $[数字].{rand(10,99)}}. Previous attempts of collecting this sum have failed.
Down below you can find an attached file with the information on your case.
件名 Required your attention
Dear Partner,
As per your request, we have made special prices for you, which leave us only avery small margin.
Kindly find attached the prices with your personal discount, and if you needanything else, don't hesitate to contact us.
件名 Invoice [数字]
Dear [メールアドレスの一部],
Please review the attached copy of your Invoice (number: IN[数字]) for an amount of $[数字].
Thank you for your business
件名 Invoice #[数字]/15
Dear costumer,
You are receiving this informational letter because of the fact that you have a debt totaling $[数字] due to late payment of invoices dating March 15.
In attachment you will find a reconciliation of the past 12 months (year 2015).
件名 Delay with Your Order #[英数字], Invoice #[数字]
Dear Valued Customer,
It is very unpleasant to hear about the delay with your order #[英数字], but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region.
件名 Unpaid invoice # [数字]
Dear Client,
According to the reconciliation of the Department of Finance there are the arrears following your client account totaling in $[数字] .
We attach the last unpaid invoice #[数字] to this letter and kindly ask you pay it off until March 31, 2016.

件名 Package # [数字]
Dear Client,
Your replacement package was shipped 5 days ago and is now being transferred to your local post office.
The package identification number is # [数字] , please double-check the information on it in the file attached below.
件名 Order reference # [数字]
Dear Customer,
We apologize for the troubles with your parcel # [数字] and can assure you that this mistake will not be happening again.
Please, check the information on this case in the attachment.

件名 Order Delay - Package Ref. [数字]
Respected Customer,
The delay of your parcel ref. # [数字] cannot be controlled due to the unstable weather conditions in our region.
We are doing everything we can to arrange the best shipping time for your package.
件名 Invoice, Ref. [数字]
Dear Valued Customer,
We are very grateful for your purchase. The specified sum of $[数字] was paid and now your order is being processed by our company.
Delivery information and the invoice can be found in the attached file.
件名 Shipping Information - Your Order #[数字]-[数字]
Dear Customer,
Your order will be shipped shortly, we apologize for the troubles. Please, review the invoice in the attached file.
件名 Compensation - Reference Number #[数字]
Dear Customer,
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.

件名 FW: Invoice #[数字]-2016-03
Dear [メールアドレスの一部],
Please see attached (scanned document) file for your invoice.
Thank you for your business

件名 FW: Invoice 2016-M#[数字]
Dear [メールアドレスの一部],
Please find attached 2 invoices for processing.
Yours sincerely,

件名 Invoice # [数字] /16
Dear Customer,
The reason you are receiving this informational mail is that you have indebted sum of money totaling $[数字] due to late payment of invoices starting October 2015 .
The financial reconciliation of the past 12 months (year 2015) is enclosed below.

件名 GreenLand Consulting Unpaid Issue No. [数字]
Dear Client!
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. [数字]. But it has never been paid off.

件名 FW: Payment 16-03-#[数字]
Dear  [メールアドレスの一部],
We have received this documents from your bank, please review attached documents.
Yours sincerely,
件名 Urgent Notice # [数字]
Dear Customer!
According to our data you owe our company a sum of $[数字]. There are records saying that you have ordered goods in a total amount of $ [数字] in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #[数字] is enclosed below for your revision.
件名 Debt #[数字] , Customer Case Nr.: [数字]
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #[数字] for $[数字] is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
件名 Blocked Transaction. Case No [数字]
The Automated Clearing House transaction (ID: [数字]), recently initiated from your online banking account, was rejected by the other financial institution.

件名 Credit details ID: [数字]
Your credit card has been billed for $[数字]. For the details about this transaction, please see the ID: [数字]-[数字] transaction report attached.


件名 Incoming Transaction Declined ID: [数字]
Your Purchase
Sender's Details: [数字]
Amount: USD[数字]
ACH Routing / Transit Number: [数字]
The incoming transaction (ID:[数字]) has been declined by your bank.

件名 FW: Payment ACCEPTED M-[数字]
Dear [メールアドレスの一部],
Please check the payment confirmation attached to this email.
The Transaction should appear on your bank in 2 days.



これら英文メールには ZIP形式の圧縮ファイル が添付されていて、
解凍(展開)すると JavaScriptファイル(拡張子 *.js)が登場!


イメージ 5
invoiceメールに添付されてた圧縮ファイル

イメージ 1

ダブルクリック厳禁! 拡張子 .js は正確にはJScriptファイル


【添付ファイルの例】


invoice_scan_[数字].zip invoice_copy_[数字].zip invoice_[数字]_scan_.zip invoice_[数字]_copy_.zip copy_invoice_[数字].zip SCAN_invoice_[数字].zip SCAN_INVOICE_[数字].zip SCAN_PRICES_[数字].zip Invoice_ref-[数字].zip order_copy_[英数字].zip document_invoice_[数字].zip INVOICE_[数字].zip UNPAID_INVOICE_[数字].zip SCAN_00_[数字].zip SCAN_2016_03_[数字].zip Payment_2016_March_[数字].zip payment_doc_[数字].zip Details[数字].zip watch_[数字].zip letter_[数字].zip unconfirmed_operation_[数字].zip payment_scan_[数字].zip confirm_[数字].zip problem_[数字].zip finance_[数字].zip watch_it_[数字].zip warning_[数字].zip doc_details_[数字].zip payment_details_[数字].zip invoice_details_[数字].zip payment_accepted_[数字].zip payment_document_[数字].zip finance_details_[数字].zip



↓ 手動で解凍作業を実施すると


invoice_SCAN_[英数字].js invoice_copy_[英数字].js invoice_[英数字].js important_[数字].js warning_[数字].js statistics_[数字].js msg.[数字].js message.[数字].js accent.[数字].js email.[数字].js letter.[数字].js problem.[数字].js see_it.[数字].js watch.[数字].js q.[数字].js Post_Tracking_Label_id00-[数字]#.js Post_Shipment_Label_id00-[数字]#.js Post_Tracking_Label_id00-[数字]#.js Post_Parcel_Label_id00-[数字]#.js Post_Tracking_Confirmation_id00-[数字]#.js Post_Tracking_Case_id00-[数字]#.js Post_Parcel_Case_id00-[数字]#.js Post_Shipment_Confirmation_id00-[数字]#.js details_[英数字].js post_[英数字].js mail_[英数字].js scan_[英数字].js e-bill_[英数字].js inv_[英数字].js letter_[英数字].js check_[英数字].js scanned_doc_[英数字].js payment_details_[英数字].js payment_[英数字].js document_[英数字].js
FireflyFramer


このJSファイルを仮にも Windowsパソコン上 でポチポチっと ダブルクリック♪ して起動してしまうと攻撃処理が発動し THE END 💀

なのでゼッタイ踏んではダメッ! 

<Mac OS、Andorid/iPhoneスマホ、ガラケーなどでは動作しないようなのでとりあえず影響はなさそうです>



 

このJSスクリプトファイルの目的は?? 

パソコンに実行ファイルをダウンロードしてきて起動!

 

JSスクリプトファイルの内容は、エディタで確認してみると外部ネットワークから Windows向け実行ファイル (拡張子 *.exe)をダウンロードして起動する
処理になってました。


セキュリティ製品をスリ抜ける目的でコードの難読化処理が施されてるので、タイミング次第ではファイルスキャンで脅威と判定しない恐れがあります。



イメージ 2
”ダウンローダー”の役目をする不正な処理がスクリプト言語で…



実際に手元でJSファイルを起動した時のプロセスの様子はこんな感じ。 <真似しないでネ>


イメージ 3
不正なJSスクリプトファイルを実際に起動した直後の様子




wscript.exe の下に 謎の実行ファイル505091.exe) が起動したことが確認でき、攻撃者が狙ったコンピュータウイルスが送り込まれてきて感染💀

ファイアウォールのアウトバウンド側(送信)で、システムフォルダにある wscript.exe の通信をブロックできると、実行ファイルがダウンロードされる処理を阻止できます。

 

 

 

  

ランサムウェアに感染! ファイル破壊され地獄絵図

このWindows向け実行ファイルの正体は、ファイルを暗号化して破壊し身代金を支払うよう脅迫する ランサムウェア の1つ TeslaCrypt(テスラクリプト)。 <vvvウイルスで話題!>



イメージ 4
Windowsの一時フォルダに不正な実行ファイルが!? 正体はあのvvvウイルス!






> www.virustotal.com/ja/file/b7accb9b9afc97165293cda6c9143014df49ccaa95d0bf6a80e6d9ee2e787bff/analysis/1449662803/



ランサムウェアの感染経路は主に2パターン確認されていて、下のイメージ画像でいうところの左側ルート。






[2015年12月11日 追記]
セキュリティ会社トレンドマイクロによると、海外ですでに確認されてた英語のウイルスメールが、12月9日を境に日本にもドバドバ来るようになったそうです。
ランサムウェア「CrypTesla」を拡散させる一連のマルウェアスパム攻撃を詳細分析 | トレンドマイクロ
http://blog.trendmicro.co.jp/archives/12713 



[2015年12月15日 追記]
Microsoft Office に実装されてるマクロを悪用する 不正なワード文書ファイル(拡張子 *.doc) がメールに添付されてる攻撃パターンも投入されてるねぇ~。 

 


[2016年3月1日 追記]
感染させるウイルスの種類として TeslaCrypt ではなく Locky(ロッキー) を送り込むJSファイル付き 迷惑メール(スパムメール) も投入されてます。 
Locky もファイルを暗号化して破壊し復元したいならお金を払えと要求するWindowsパソコンをターゲットにしたコンピュータウイルスで大変なことになーる。