Security experts alerted of a brand new spam campaign spreading emails with malicious attachments which use Herbalife branded messages.
The researchers reported that hackers have sent more than 20 million Herbalife branded emails for 24 hours. Since then, the attackers sent out messages at a rate of about two million attacks per hour.
The spam messages come from a spoofed domain, disguised as a legitimate one. Most often, the emails are sent from Vietnam, and the other significant sources are India, Columbia, Turkey, and Greece.
“The Barracuda Advanced Technology Group is actively monitoring an aggressive ransomware threat that appears to come in the largest volume from Vietnam. Other significant sources of this attack include India, Columbia, and Turkey and Greece. Other countries appear to be distributing the same attack in very low volumes.” Barracuda’s analysis states.“So far we have seen roughly 20 million of these attacks in the last 24 hours, and that number is growing rapidly.”
The hackers are using a new variant of Locky ransomware with a single identifier to track the infections.
“Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier. The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor,” the analysis reads. “In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them.”
The malicious email attachment is disguised as an invoice for an order placed via the Herbalife company. Once the user opens the file, the ransomware dropper is launched.
Another thing which cyber criminals do is observing attachments that claim to impersonate invoicing from marketplace.amazon.uk.
Additionally, the security experts notice some other variants of the malicious emails claiming to be a “copier” file delivery.
In the latest Herbalife spam campaign, the security researchers from Barracuda are observing a wrapper which impersonates a voicemail message, using the subject line “New voice message [phone number] in mailbox [phone number] from [“phone number”] .”>].”
By now, the experts have found more than 6,000 different versions of the malicious script, suggesting that the attackers are randomizing a portion of the attack code in order to avoid detection.
“There have been approximately 6,000 fingerprints, which tells us that these attacks are being automatically generated using a template that randomizes parts of the files. The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead anti-virus engines.” the blog post continues.
Since the beginning of the latest ransomware campaign, the payloads delivered by the malicious emails and the domains used to host the second stage malware that infects the victim’s computer have changed a number of times.
According to the experts, the attack code is checking the language files on the victim’s computer, suggesting that the hackers are ready to attack users all over the world. Considering the campaign targets, the crooks’ motivation appears to be financial.