5 comments

[ 0.64 ms ] story [ 34.7 ms ] thread
There is an attachment to that thread that I would assume is malware.

--- Response with attachment ---

Notice to Appear,

You have a unpaid bill for using toll road. Please, do not forget to service your debt.

You can review the invoice in the attachment.

Sincerely, Joshua Mayer, E-ZPass Support.

Yeah inside is a file that has a .doc.js extension. Looks like some sort of javascript exploit.
Beautified contents of ZPass_00292300.doc.js:

http://pastebin.com/f8uYQDTs

Here's a deobfuscated version of that:

http://pastebin.com/TwP9bAc4

This is a pretty common malspam campaign that's been seen for the past few months.

No exploits, it just requires a Windows user to save and run it. (Depending on OS version, there will be at least a few security prompts to get through in order to run local JScript.)

Yup.

Right along with the "we've processed the payment for your flight on your credit card" click here.

A friend of mine noted that they had a card compromised in a recent breach, they changed it immediately of course, and then got an email with their actual old card number in it with a bogus attachment. We were tempted to let the trojan run to see what sort of group is so interested in spear phishing him but we decided to pass, we don't have a malware aquarium to run it in sadly.