Nigerian scammers are at it again. This time, however, they are using infected email attachments to spread their malware.

One example is a remote administration tool (RAT) called NetWire, which allows attackers to remotely take over Windows, Mac OS X, and Linux machines. Another tool, DataScrambler, was used to repackage NetWire to evade detection by antivirus programs. DarkComet RAT has also been used in these attacks.

The scammers, once known for their social networking scams, are not as familiar with these types of malware. Even though the command-and-control infrastructure was designed to use dynamic DNS domains (from NoIP.com) and a VPN service (from NVPN.net), some of the attackers configured the DNS domains to point to their own IP addresses.

The attackers are not exploiting any software vulnerabilities and are still relying on social engineering (which they are very good at) to trick victims into installing malware. They appear to be stealing passwords and other data to launch follow-up social engineering attacks.

As always, to be protected, users should block all executable attachments on emails and inspect .zip and .rar archives for potential malicious files.