MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Purchase Order”
The email is send from the spoofed address “Guangzhou Jintao Ceramic Co. Ltd <firstname.lastname@example.org>” and has the following body:
Confirm the payment Slip which was made to the account written on the Invoice with the sum of 30,000 usd for 30%.
Guangzhou Jintao Ceramic Co.,Ltd,
Add: A Building, Jintao Industrial District, Rongshutang, Yongxing Village,
North Baiyun Road, Baiyun District, Guangzhou, China.
Email body screenshot:
The embedded URL leads to hxxp://ellavista.com/htm/Invoice.scr to download the 406 kB large malicious file.
The trojan is known as Trojan.GenericKDV.1271370, Trojan-Spy.Win32.Zbot.puuz, PWS:Win32/Zbot, Troj/Zbot-GHP or TR/Crypt.Xpack.22598.
At the time of writing, 16 of the 49 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: c38323dc5c3d048a64697b3087c50583c15a682ec29ec5aa61057cfe3679d651.