MX Lab, http://www.mxlab.eu, is intercepting different type of emails with an attached Trojan.Zbot.IDE.
This email is send from the spoofed address “QuickBooks Invoice <firstname.lastname@example.org>” while the SMTP from is “email@example.com”, has the subject “Notification of direct debit of fees” and has the following body:
Notification Number: 5430143
Mandate Number: 8396466
###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
This is notification that Land Registry will debit 214.00 GBP from your nominated account on or as soon as possible before 15/01/2013.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at firstname.lastname@example.org or call on 0844 892 1111. For all enquiries, please quote your key number.
Land Registry is the definitive source of information for more than 23 million property titles in England and Wales. Since 1862 we have provided security and confidence in one of the most active property and mortgage markets in the world. We are working to support economic growth and data transparency as part of the Public Data Group. Find out more at http://www.landregistry.gov.uk
The attached ZIP file has the name Notification_5430143.zip and contains the 19 kB large file Notification_1401.exe.
This email is send from the spoofed address “Elbert Hickman <email@example.com>” while the SMTP from is “firstname.lastname@example.org”, has the subject “Important Docs” and has the following body:
Check attached docs.
Commercial Banking Support
Thames Gateway Commercial Office
2nd Floor, Riverbridge House, Anchor Boulevard,
Crossways, Dartford, Kent DA2 6SL
Depot Code 023
Tel: 01322 639620
Fax: 01322 606862
This information is classified as Confidential unless otherwise stated.
The Royal Bank of Scotland plc, Registered in Scotland No. 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
The attached ZIP file has the name Docs_14012014.zip and contains the 19 kB large file Docs_14012014.exe.
The trojan is known as Trojan.Zbot.IDE, Trojan-Spy.Zbot, TR/Yarwi.B.117, W32/Trojan.TROM-4807 or Trojan.Email.FakeDoc.
At the time of writing, 14 of the 48 AV engines did detect the trojan at Virus Total.