QuickBooks themed emails carry hidden threat


Thought Leadership

QuickBooks themed emails carry hidden threat

Troy Gill

One of this morning’s most active malware campaigns is posing as QuickBooks payment confirmations. Intuit’s QuickBooks is a very popular financial management software/service with millions of worldwide users.  One of the services functions is to manage and pay bills so it might be very routine for many people to receive payment confirmation emails just like the one seen below:11-2-2015quickbooks

As you can see the messages are well formatted and include the QuickBooks image branding to add to the legitimate appearance. However, these messages come with a little something extra-- the seemingly innocuous attached Word Document carries a hidden threat. Within the .doc file[Md5:90598c90c3b926e0a6e59110994df1be] attached is a malicious macro that launches a Trojan dropper on the victim machine. This particular malware communicates to a list of (Russian domains) dethetear.ru, tonslachesand.ru, fortformares.ru. It further downloads more malicious code to the victim’s machine. The malware then goes to work harvesting previously stored credentials such as Outlook passwords, etc. on the victim’s machine and maintains its persistent foothold to monitor for further activity.

This form of attack, malicious emails containing Word documents with infected macro’s, is something we have been seeing quite a bit of for a while now. The attackers prey on catching users off guard by sending emails that appear from trusted sources with file types that they are familiar with. By doing so they hope to gain just enough trust to allow the backdoor to the victims machine to be opened, which can in turn open the door to the entire network as well.

These types of everyday malware threats should never be taken lightly. This form of infection can do a tremendous amount of damage to an individual or an organization. Anything from having fraudulent charges suddenly appear on your credit card to a sudden wire transfer from the company account can be one of the many possible outcomes. Of course, when a persistent threat like this takes hold it can also lead to something even more devastating… like a massive data breach that negatively impacts your entire customer base. Attachments or links in unsolicited emails should always be met with a certain degree of skepticism- even if the message appears to be from a company with which you are quite familiar. When in doubt, reach out to the company directly to confirm the messages authenticity. This extra step might just save you a ton pain in the future. As always our own SecureTide customers are protected from this threat as we were blocking them from the very onset of the campaign.