The malicious emails contain zip file attachments. In this case the zip file is named "Transaction info E579657586.zip", which contain the .chm files. A sample email containing Cryptor
The .chm files are essentially compiled html files, or web pages, which form part of the help systems for Microsoft and others.
The Visual Basic script downloads an 'executable' from a remote web server and runs it locally.
An example of an opened .chm file running on a Microsoft Windows system
The remote executable (tv.exe) is the final payload, and has been identified as the Cryptor virus, as initially identified by AVG.
This is not the same as the Cryptolocker virus and the effects of downloading Cryptor through scam email and infected websites is not the same. The Cryptor designated malware causes havoc on the infected system by secretly installing malware and possibly interrupting normal use of the infected PC by interfering with system processes. It is also used to control the victim's machine and can act as a gateway to installing new malware.
Cryptor is particularly dangerous because it constantly mutates and updates, stealing data and compromising business security.
MailGuard chief executive, Craig McDonald, said the discovery was a timely reminder to business that user education is important to protect the corporate networks from the effects of installing malware such as Cryptor.
"Zero day attacks are successful because there is a window of time before desktop AV vendors update software to detect these scams," McDonald said. "Unless businesses take on a multi-layered approach to network security, including cloud and endpoint security, they are increasing the risk of becoming a target of cybercrime".