Fake email “Copied invoices” from cashbuild.co.za contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Copied invoices”.

This email is send from the spoofed address “kshakong@Cashbuild.co.za” and has the following body:

The attached invoices are copies. We will not be able to pay them. Please send clear invoices

This outbound email has been scanned by the IS Mail Control service.
For more information please visit http://www.is.co.za

The attached ZIP file has the name SKMBT_75114091015230.zip and contains the file SKMBT_75114091015230.exe.

The trojan is known as  Trojan.PWS.Stealer.4118, Spyware.Passwords, Trojan.Zbot.ILS, TR/Fareit.A.301, Troj/Agent-AIXF or RDN/Generic PWS.y!bbb.

At the time of writing, 24 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d

One thought on “Fake email “Copied invoices” from cashbuild.co.za contains trojan

Comments are closed.