Fake Facebook Account Suspended emails lead to Trojans, ransomware

Fake Facebook account suspension emails are doing rounds of inboxes around the world, trying to convince the recipients that their account has been temporarily disabled due to the social network’s “Terms and Policies renewal”:

Seemingly coming from a Facebook email address and signed with “The Facebook Team,” the email is likely to trick some of the recipients into following the offered link to the TermsPolicies.pdf.exe file hosted on what seems to be a compromised third party site (assetdigitalmarketing [dot] com).

The file is currently detected by nearly half of the AV solutions used by VirusTotal and seems to be a generic Trojan downloader.

According to My Online Security, a new version of the same email delivered today points to another TermsPolicies.pdf.exe hosted on http://ladiezspot[.]com/, which according to VirusTotal is a crypto-ransomware variant.

Malwarebytes detects it as Trojan.ZBAgent.NS – the signature they use for CTB Locker/Critroni ransomware.

Judging by the compromised domain serving the malware in the first email, the spam emails that have today been flagged pushing fake Google Chrome updates are the work of the same cyber crooks.