MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Copy of your 123-reg invoice ( 123-015309323 )” – number in the subject may change.
This email is send from the spoofed address “email@example.com” and has the following body:
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team.
© Copyright 123-reg – Part of Webfusion Ltd
Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
Screenshot of the fake message:
The attached file 123-reg-invoice.doc which is 53kB large, is a malcious Word file tha contains a macro with the instructions to download other malware on the system.
The malicious Word file is detected as MO97:Downloader-WY [Trj], Macro.Trojan-Downloader.Agent.EB@gen, W97M/Downloader or Trojan-Downloader.VBA.Agent.nr (v)
At the time of writing, 5 of the 56 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information.
MX Lab recommends not to open this Word file or at least disable macros.