They discover a new Trojan that is reaching several Spanish users in the form of an email that is disguised under a template of what it claims to be an “Endesa electronic invoice”.
In recent years, we have seen a tremendous boom in banking Trojan campaigns that arrive in multiple forms and formats, although the most recurrent is from email. During its analysis of Spanish users, ESET has discovered a Trojan belonging to the Grandoreiro family, one of the most active in the last two years.
The trick of this attack is that it pretends to be one of the most important electrical companies in our country, Endesawith one of the aspects that is generating the most commotion, as it is The invoice of light. Despite the fact that the template itself is not very elaborate, the “Endesa electronic invoice” issue is the hook that makes people fall for the scam.
As always when we doubt the legitimacy of an email, we have to look for some kind of error. In the case of this campaign, we can observe that the message identifier does not match the Endesa domainrevealing that it is a malicious email.
Regarding the infectious file, the email is attached with a MSI-file which is supposedly the invoice itself. Opening it causes the initial infection and cybercriminals are automatically warned that the first phase, that is, the infection, has already started.
When downloading the file it seems that it is a ZIP extension, however, this file contains the payload of the banking Trojan. The company has reported a rise in this particular attack among many Spanish users, so it is important to be vigilant and take a good look at who is not sending the mail.
If you are not an Endesa customer, don’t even think about opening or downloading what is supposed to be an invoice, whereas, if you are, do the pertinent checks, compare with other emails that have been sent to you before, and if you are still in doubt, don’t click on it, because if it really is a bill that you have to pay, you can be sure that they will contact you again.