An unconventional email spam campaign has been delivering unusual cryptocurrency-stealing malware to American and Japanese users. The emails are sporting “Re: passport..” in the subject line and are trying to trick targets into opening an attached file, which supposedly contains a scanned copy of a passport the recipient has possibly left in the senders’ office.
Opening the file will not show the scanned image, but potential victims will be asked to open another file embedded in the first one. If they chose to open the file, it will attempt to exploit an old DirectX vulnerability (Microsoft DirectX is a collection of APIs for handling tasks related to multimedia on Microsoft platforms). If it succeeds, it will load an HTA script, which will run a PowerShell script to download the ComboJack malware.
Read more about the malware, which has been named ComboJack by the researchers because it aims to steal funds in a variety of cryptocurrencies, on Help Net Security.