ADVERTISEMENT

Several companies recently received an email that appears to be coming from Microsoft Volume Licensing Service Center (VLSC) which tries to spread malware using a sly Javascript trick. VLSC is used to manage Microsoft licenses and the emails sent by cybercriminals very much resemble the emails Microsoft normally sends about VLSC, including a personalized salutation.

ADVERTISEMENT

Recipients can register themselves through a link, according to the email. The link actually points to a hacked WordPress server which in its turn shows the real VLSC website from Microsoft where users can login. At the same moment also a ZIP file is offered for download which comes from the hacked WordPress server.

The file is offered in such a way that it appears to be coming from the Microsoft website, although the download location reveals it’s actually coming from the hacked WordPress server.

The offered ZIP file contains a .scr file which is actually a Trojan. This “Chanitor Trojan” then connects to the Tor network. According to Cisco the malware is detected by 9 of 57 virus scanners of VirusTotal.

ADVERTISEMENT