MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects “PO QN43568”.
This email is send from the spoofed address “Guangzhou Jintao Ceramic Co.,Ltd <email@example.com>” and has the following body:
Attached herewith is our companies order for 2013/14 kindly arrange pi for the same we await your early response
Guangzhou Jintao Ceramic Co.,Ltd,
Add: A Building, Jintao Industrial District, Rongshutang, Yongxing Village,
North Baiyun Road, Baiyun District, Guangzhou, China.
The embedded URL leads to the host hxxp://ellavista.com/htm/TTcopy.scr the 311 kB large file TTcopy.scr. The URL is embedded behind a screenshot of what appears to be an order scanned order form, under the likn “View slide show (1)” and under the link “Download all as zip”.
The trojan is known as TR/Dropper.MSIL.Gen, Gen:Variant.Barys.1003 (B), MSIL/Injector.PEI!tr, Worm.Win32.Ainslot or MSIL:Crypt-QF [Trj].
At the time of writing, 10 of the 48 AV engines did detect the trojan at Virus Total.