MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Berendsen UK Ltd Invoice 60020918 117”.
This email is send froom the spoofed address “firstname.lastname@example.org” and has the following body:
Please find attached your invoice dated 1st January.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.
Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604
The attached file IRN001526_60020918_I_01_01.DOC is a Word file with embedded macro that wll download the file bin.exe from the following location: hxxp://elektromarket.cba.pl/js/bin.exe
The trojan is known as Downloader-FAOO!434F0A990013 or Dridex.K.
At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total.