Fake email with ZIP archive from CDS Group contains trojan ZBot

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “CDS Invoice: 738-31540”.

This email is send from the spoofed address “Gina Moon CDS Group <billing@cdsgroup.co.uk>” and has the following body:

Dear client,

Please find attached your invoice number 738-31540

If you have any queries with this invoice, please email us at accounts@cdsgroup.co.uk or call us on 020 8752 8040

The CDS Group of Companies, Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International

Tel: 020 8752 8040
Email: accounts@cdsgroup.co.uk

Screenshot of the email:

The attached ZIP file has the name CDS_738-31540.zip and contains the folder CBS_invoice_7849530254.xls with inside the 112 kB large file CBS_invoice_7849530254.xls.exe.

The trojan is known as W32/Trojan.URGJ-1539, Trojan-Spy.Zbot, Spyware.Zbot.ED, UDS:DangerousObject.Multi.Generic or Troj/DwnLdr-LUT.

At the time of writing, 10 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 6aec8b9c576f32a2ec143a556aad5142ff99a17e6c2898786ee00982f70856fc