Beware of Fake Invoices

Over the last two weeks, we have seen an increase of fake e-mails pretending to contain invoices for various companies including UPS, Fedex and airlines from around the globe.  Subject of such e-mails include “Fedex tracking number 1234567890” or “E-ticket #1234567890”.  The body of the e-mail states that the recipient’s credit card has been charged for hundreds of dollars and that an invoice for their purchase is attached to the message.  The attached file has an Excel of Word icon but, in reality, it is an executable file.  We remind our readers not to make judgement on the nature of a file by its icon but by its extension.  It is trivial for a programmer to change the icon of their program, thus tricking users into thinking that a program is harmless.  We have also seen variants of this attack that had zip compressed e-mail attachments.

If the attached file is executed, it copies itself to the system32 folder under the name “ntos.exe”.  It then injects code into active processes including winlogin.  The injected code is responsible for communicating with a command and control server that will give orders as to what action should be taken next.  The command and control server uses the HTTP protocol and the commands are sent in an encoded file currently called rev.bin.  The command and control server is located in the United Kingdom at present time.  ESET Antivirus detects this threat as Win32/Spy.Agent.NES, other vendors call it Zbot.

At the time of analysis, Agent.NES was instructed to download an additional component from the Internet.  This additional component is a fake antivirus, another threat that is very popular these days.  The fake antivirus program will display warning messages like the following screenshot.  If the user clicks on the button to activate the product, he is asked to pay a certain amount of money.  This is where the malware author make their money.  

ESET Antivirus detect this family of fake security products as Win32/TrojanDownloader.FakeAlert.DR.  This whole operation proves, one more time, that fear sells.  The first stage of the attack involve fear that the victim might have been charged for something they didn’t want and the second uses the fear that a computer might be at risk.

Pierre-Marc Bureau

Author Pierre-Marc Bureau, ESET

  • Wirtz


    NOD32 dont find “Antivirus 2009” Malware :-(

    My NOD32 is always up-to-date.


  • Actually, it does. But it doesn’t catch every instance of this, or other fake anti-malware packages. The creeps who market this stuff make sure of that by tweaking their packages until they’re not detected by the top scanners, just as they do with other forms of malware. We keep updating both our signatures and our heuristics to keep up, but this is, as they say, a war of attrition.

  • Sadly, the vendors of this malware are very quick to change the name of the malware and the methods of delivery, as well as having many more servers ready to use once they have realised that they are appearing on ‘block’ list etc. So many users get trapped with this vicious circle when they get the warnings on their machines, but they are already infected by that time, although removal in most cases can be pretty straightforward, but in other it requires a little more work and is not for the novice user to attempt.

    It is a ‘war of attrition’ and keeping up with them is not an easy task. Users need to be educated to use safer surfing methods and have good preventive programs installed, even so, many will still get ensnared with this cr*p.


    Hi my dear Support
    I want to know if you can send me my invoice by email or if the invoice will leave by fedex a my adress.
    Carlos I Ortiz E

    • Randy Abrams

      I assume this is a joke. we don’t do support on the blog :)

Follow us

Copyright © 2017 ESET, All Rights Reserved.