Attached payment slip in fake purchase order email downloads ZBot trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Purchase Order”

The email is send from the spoofed address “Guangzhou Jintao Ceramic Co. Ltd <jane008wang1@xd.ae>” and has the following body:

Hello,

Confirm the payment Slip which was made to the account written on the Invoice with the sum of 30,000 usd for 30%.

Guangzhou Jintao Ceramic Co.,Ltd,
Add: A Building, Jintao Industrial District, Rongshutang, Yongxing Village,
North Baiyun Road, Baiyun District, Guangzhou, China.
Tel: 0086-20-62153491
Fax: 0086-20-62153489
Jane Wang.

Email body screenshot:

The embedded URL leads to hxxp://ellavista.com/htm/Invoice.scr to download the 406 kB large malicious file.

The trojan is known as Trojan.GenericKDV.1271370, Trojan-Spy.Win32.Zbot.puuz, PWS:Win32/Zbot, Troj/Zbot-GHP or TR/Crypt.Xpack.22598.

At the time of writing, 16 of the 49 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: c38323dc5c3d048a64697b3087c50583c15a682ec29ec5aa61057cfe3679d651.