MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New bank details”.
This email is send from the spoofed address “”Bitstamp.net” <email@example.com>”, while the real SMTP sender is AmericanExpress@welcome.aexp.com, and has the following body:
New banking details
Dear Bitstamp clients,
We would like to inform you that Bitstamp now has new bank details, please check attached file.
We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
CEO, Nejc Kodrič
The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr.
The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S.
At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total. Now, MX Lab has also intercepted some emails without the malicious attachment but be aware that this email is a risk.
Use the Virus Total permalink for more detailed information.