Hei Man: Scandinavian spam attack spreads Trojan horse

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Sophos is intercepting a malicious spam attack, which attempts to infect recipient’s computers with a Trojan horse by pretending to contain images of the Scandinavian sender.

Here is what a typical malicious email looks like:

Hei Man malicious email

Subject: Hei Man,
From: "Facebook"<[email protected]>
Attached file: Image123.zip

Sign up to our free newsletter.
Security news, advice, and tips.

Message body:
Hei Man,

Jeg vet ikke hvordan jeg skal si det, men jeg har prшvde fшr en lang tid til е sende deg noen bilder, men jeg har tenkt at du ikke er interessert i е se meg.
Men nе skal jeg sende deg bilder i vedlegg.
Last ned bilder og trekke ut de, er jeg sikker pе at du vil like de. Passordet er: 123456

Ha en flott dag.

The message, which appears to be written in Norwegian, roughly translates to:

Hey Man,

I do not know how to say it, but I have tried for a long time to send you some pictures, but I've been thinking that you are not interested in seeing me.
But now I'll send you pictures in the attachment.
Download the images and extract them, I'm sure that you will like them. The password is: 123456

Have a great day.

The attached file, named Image123.zip, is encrypted – presumably in an attempt to avoid detection by weaker anti-virus products – but the email message contains the password to unlock the ZIP and reveal the malware to you.

Of course, an attack like this is only likely to trick users who speak Norwegian (or its close linguistic neighbour Danish), but you can imagine how a message claiming to come from a Facebook or Hi5 friend might trick some people into checking out what hides behind the ZIP without thinking.

Sophos detects the Trojan horse proactively as Mal/Behav-043 and is adding detection of the ZIP file as Troj/BredoZp-BU.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.