(Image from Pixabay)

Cybersecurity and defense company Trend Micro discovered recently a spam campaign that targets emails that are connected with banks. The malware downloader is disguised as a file extension most banks use .WIZ or Wizard files that financial institutions use to send billing statements.

In its article, Trend Micro said its security researchers detected the file extension as W2KM_DLOADER.WIZ and a .PDF file or PDF_MDROP.E. These two then drops a backdoor payload that spreads the malware.

The backdoor has the ability to execute commands including “PowerShell and file system commands, code injection, uploading and downloading files, and using and purging Kerberos tickets, among others.” It can also steal information stored in the victim’s computer such as “computer name, IP address, OS system, and username, and malware process ID.”

The files trick the users into performing “intricate or repetitive documents or tasks in Microsoft programs” once they access the malicious .WIZ files.

Threat actors use fake invoice as with a .WIZ file extension as an attachment just like how banks send statements and billings. Unsuspecting users will, of course, click on the attachment to see their monthly statement and when they do that, they unknowingly download the payload onto their network system.

When it comes to .PDF file extension, criminals will send a bogus flight booking information. When users open the malicious file “the JavaScript inside opens an embedded .PUB file. The .PUB file hosts malicious macros that will then download a portable executable file from a malicious website.”

Trend Micro researchers found out that the .WIZ and .PUB spam email attachments had the same malicious macro after further analysis.

According to the Trend Micro researchers, the so-called malspam has links to another downloader that has “modular features that allow cybercriminals to download other modules and payloads on affected machines” called Marap. They said the two have identical X-Originating-IP, but while the older spam has an .IQY extension, the latest one uses .WIZ and .PDF.

Trend Micro reports that users hit by this spam campaign reside in India, Italy, and Taiwan.