MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Important: last month reports”
This email is send from the spoofed address Administrator <email@example.com> and has the following body:
File Validity: 22/10/2013
Company : http://domain.com
File Format: Office – Excel
Internal Name: last month reports
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
The attached ZIP file has the name Company_Report_domain.tld.zip and contains the 21 kB large file Company_Report_10222013.exe.
Note: “domain.tld” in the spoofed from address and in the body of the email is filled in dynamically with the recipient domain.
The trojan is known as W32/Trojan.LZKJ-1963, Win32/TrojanDownloader.Small.AAB, W32/Trojan3.GHF.
At the time of writing, 10 of the 47 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 5a952489d479f63c8d3e51432fec502831bcbf297904e5c8860430d83efd5089.