Fake emails from TNT with invoices contains new trojan in ZIP archive

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “TNT Express factuur 537999923; Klantnummer 569666349” (numbers in subject and attachment name can change). The campaign is, according to the Dutch language and domain TLDs, targeting users in the Netherlands and Belgium.

The email is send from the spoofed address “eInvoicing <NL.e-invoicing@tntexpress.nl>” and has the following body:

Geachte heer, mevrouw,

Er zijn nieuwe facturen en/of creditnota’s van TNT Express Nederland beschikbaar. In de bijlage vindt U uw originele factuur.

U kunt kopieën van deze documenten en hun csv-bestanden bekijken en downloaden via onderstaande link.


Met vriendelijke groet,
Billing Department, The Netherlands
Finance & Administration, TNT Express Benelux
Email: nl.e-invoicing@tntexpress.nl

The attached ZIP file has the name TNT-NL-973919134-713692777-factuur.zip and contains the 35 kB large file TNT-NL-874490372-765987046-factuur.PDF.exe.

The trojan is known as Trojan.GenericKD.934424, Win32/TrojanDownloader.Wauchos.I, Trojan-Ransom.Win32.Blocker.babg or Trojan.Win32.Agent.AMN (A).

At the time of writing, 12 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: d89523db16131ce7b64d68c04ce14bf617a26b5065b2f9700291a3552c1b9808.

2 thoughts on “Fake emails from TNT with invoices contains new trojan in ZIP archive

Comments are closed.