Western Union Spam Emails Drop Teslacrypt Ransomware

A malicious message, masking itself as a “Western Unioun” email, has been disturbing the PC users lately. The fake email claims that you have received a remittance and the information is attached alongside. However, as soon as you download the attachment, your computer gets infected with Teslacrypt ransomeware.

Most often, a computer gets infected with Teslacrypt via the attached zip, which contains a .js file to download malware. Usually, the spam email tricks the PC users to open the email via its subject.

Subject: Money Transfer Notice

Important Information!

You have received a remittance, more information about the money transfer is in the
attached file.

Money Order can be cashed at any branch or bank in Your city .

We are looking forward to hearing from You
western unioun

Money Transfer Notification WU000076846526

WU2081747795.zip (2)

western union money transfer ransomware email

WU2081747795.zip attachment contains files as:

  • invoice_copy_dIbeMV.js;
  • invoice_copy_RXInxh.js;
  • invoice_copy_tUCNze.js;
  • invoice_gZKU5h.js.

This javascript file is written for the Windows Scripting Host to execute and is sometimes called a Windows JScript. It does not run in the context of a web browser. There are many versions of this file which download malware from places like :

  • http://pigglywigglyqq.com/34.exe
  • http://wtfisgoinghereff.com/34.exe
  • ttp://skuawillbil.com/93.exe
  • http://skuawillbeh.com/26.exe
  • http://piglyeleutqq.com/80.exe
  • http://piglyeleutqq.com/26.exe
  • http://skuawill.com/93.exe
  • http://skuawillbeh.com/80.exe

The downloaded executable tries to make a remote connection to the following remote locations:

  • http://prets-immobiliers.org/dbconnect.php
  • http://wefindco.com/components/com_users/views/remind/tmpl/dbconnect.php
  • http://tactiva.org/installation1/view/database/dbconnect.php
  • http://westhollywooddentaloffice.com/mssys.php
  • http://surusegitimmerkezi.com/administrator/components/com_akeeba/akeeba/engines/proc/mzsystem.php

After encryption, the file names are appended with .micro extension. Then these Tor and Tor2Web gateways are given for decryption :

  • http://i4sdmjn4fsdsdqfhu12l.orbyscabz.com/
  • http://pot98bza3sgfjr35t.fausttime.com/
  • http://h5534bvnrnkj345.maniupulp.com/

Despite the provocative content, computer users should be aware that these emails are NOT coming from Western Union nor are they coming “Western Unioun” and the attachments should NOT be downloaded. Otherwise, your files will be encrypted and you will either lose all the stored data on your PC, or you should pay the ransom for decrypting it.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.