MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UK Fuels E-bill”.
This email is send from the spoofed address “firstname.lastname@example.org” and has the following body:
Customer No : 35056
Email address : email@example.com
Attached file name : 35056_49_2014.doc
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at firstname.lastname@example.org.
UK Fuels Ltd
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
With the email comes a 91 kB large file named 35056_49_2014.doc that is not detected as a potential risk by the 56 engines of Virus Total. In this case this is a malicious Word document that will try to execute a macro when opened in order to download a binary wich will contain the real trojan.
The binary will be downloaded from hxxp://KAFILATRAVEL.COM/js/bin.exe and is 77 kB.
At the time of writing, 3 of the 56 AV engines do not detect the malicious Word file Virus Total.