Fake email “Copied invoices” from cashbuild.co.za contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Copied invoices”.

This email is send from the spoofed address “kshakong@Cashbuild.co.za” and has the following body:

The attached invoices are copies. We will not be able to pay them. Please send clear invoices

______________________________________________________________________
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za
______________________________________________________________________

The attached ZIP file has the name SKMBT_75114091015230.zip and contains the file SKMBT_75114091015230.exe.

The trojan is known as  Trojan.PWS.Stealer.4118, Spyware.Passwords, Trojan.Zbot.ILS, TR/Fareit.A.301, Troj/Agent-AIXF or RDN/Generic PWS.y!bbb.

At the time of writing, 24 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d

One thought on “Fake email “Copied invoices” from cashbuild.co.za contains trojan

Comments are closed.