MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “CDS Invoice: 738-31540”.
This email is send from the spoofed address “Gina Moon CDS Group <firstname.lastname@example.org>” and has the following body:
Please find attached your invoice number 738-31540
If you have any queries with this invoice, please email us at email@example.com or call us on 020 8752 8040
The CDS Group of Companies, Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International
Tel: 020 8752 8040
Screenshot of the email:
The attached ZIP file has the name CDS_738-31540.zip and contains the folder CBS_invoice_7849530254.xls with inside the 112 kB large file CBS_invoice_7849530254.xls.exe.
The trojan is known as W32/Trojan.URGJ-1539, Trojan-Spy.Zbot, Spyware.Zbot.ED, UDS:DangerousObject.Multi.Generic or Troj/DwnLdr-LUT.
At the time of writing, 10 of the 54 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.