A new phishing campaign distributing malware pretends to be from the Spamhaus Project warning that the recipient’s email address has been added to a spam block list due to sending unsolicited email. Spamhaus Project is an organization that creates spam block lists that mail servers can utilize to block known spammers from sending emails to recipients in their organization. Due to this, using Spamhaus as the theme of phishing scam could alarm email administrators enough to cause them to hastily open the link in the email and thus become infected. These email states that the recipient must “Urgently Take Action” because their email address has been added to the Spamhaus Block List (SBL) and will be blacklisted on mail servers unless they follow the instructions found at a listed URL.
In the email will be a Google Drive link and a password for a file that is allegedly the instructions needed to remove the email address from the Spamhaus Block List.
Clicking on this link will download a password protected file named SPAMHAUS_SBL_i9k#888771.zip that contains an obfuscated Visual Basic Script (VBS) file SPAMHAUS_SBL_i9k.vbs.
When executing the VBS file, it will create a randomly named text file in the %Temp% folder, which are reported to be Ursnif malware executables, which is then launched by the script.
Ursnif is a data-stealing Trojan that records what a victim types on a computer, what sites they browse to, what is copied into the Windows clipboard, and what programs they run. This information is then saved in log files and sent back to the attacker’s web site.