MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “NUCSOFT-Payroll December 2014”.
This email is send from the spoofed address “Eliza Fernandes <email@example.com>” and has the following body:
Please find the data for payroll processing.
Please forward the PDF of summary.
This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,
NUCSOFT : With You – Until Success and Beyond….
Visit us at http://www.nucsoft.com
The attached file Payroll Dec’14.doc is a Word file with a macro that will download an executable from hxxp://cerovski1.net.amis.hr/js/bin.exe.
The trojan is known as Trojan.DridexKD.2066383, W32/Dridex.I, W32/Dridex.CLAQ-7786, Backdoor:Win32/Drixed.C or TROJ_DRIDEX.XBZ.
At the time of writing, 20 of the 56 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.