MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Your LogMeIn Pro payment has been processed!”.
This email is send from the spoofed address “”LogMeIn.com” <firstname.lastname@example.org>” and has the following body:
Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.
Date : 25/2/2015
Amount : $999 ( you saved $749.75)
The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.
Thank you for choosing LogMeIn!
The attached file logmein_pro_receipt.xls is an Excel sheet with macro that will download the file 92 kB large file bin.exe from the location hxxp://junidesign.de/js/bin.exe.
The trojan is known as Dridex.K, PE:Malware.XPACK-LNR/Heur!1.5594 or HEUR/QVM20.1.Malware.Gen.
At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total.