Yet another Trojan delivery system is out and about, this one pretending to be from DocuSign. The senders are very clever in the fact that they customize each one with an email address that could be on your system.
Ours came addressed to administrator@ our domain name, and it even had our email address worked into the body of the message. The big tip-off for us, was the fact that this email address does NOT exist on our web site, in addition to the fact that ANYTIME we see an attached ZIP file, we immediately suspect it as being spam.
The text content of our email said:
"If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.
This message was sent to you by firstname.lastname@example.org who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request."
DocuSign Spam contains Malware
Attached to the email was a zip file named “To ALL Employees.zip,” and it shouldn’t be a surprise to anyone that inside the archive is a payload identified as Trojan.Generic.KD.834485.
Once it has infected a machine, Trojan.Generic.KD.834485 will get to work by stealing login credentials stored in email clients & web browsers, attempt to log into other network machines by guessing weak passwords using remote desktop protocol (RDP), possibly download and install additional malware (such as the infamous ZeuS/Zbot), and collect account information related to server names, port numbers, login IDs, FTP clients, and cloud storage programs.
DocuSign is aware of this email threat and has taken the time to post a warning on their website advising users that legitimate emails do not contain zip or executable files as attachments and to mouseover links to check for the docusign.com or docusign.net domains before following them.
Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to email@example.com and then immediately delete the email from your system.
If you found this article useful, please share it with a friend, or leave a comment below.