Email “photo image message” from Vodafone contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “photo message image 7U5JOYUXYZ” – note that the letter and number combination varies.

The email is send from the spoofed address “862584@mail.vodafone.com”, or similar with “vodafone” in the domain, and has an empty body.

The attached ZIP file has the name photo.image.id_K2IU5QKMSK.zip and contains the 98 kB large file photo.image.id_7LK096Y5TD.jpg.exe (note that the letter and number combination varies).

The trojan is known as Trojan/Win32.Inject, TR/Injector.hotj, Win32/TrojanDownloader.Wauchos.K, Trojan.Agent.BAAG, Win32.Heur.KVMF9.hy.(kcloud), Trojan-Ransom.Win32.Blocker.byxx or TSPY_ZBOT.LSJ.

At the time of writing, 17 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 08725bbbe998004f9c44da3bdbaa922e88e8e3a439a1b01dfaff43e906fdee2e.