MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Request for payment (PGS/73329)”.
This email is send from the spoofed address “PGS Services Limited <email@example.com>” and has the following body:
Although we have contacted you already our system is still showing that the invoice remains unpaid.
RST Support Services Limited
Rotary Watches Ltd
2 Fouberts Place
Full details are attached to this email in DOC format.
Click here to make a payment
If there is any reason why payment should not be made or if you are experiencing difficulties with making the payment please get in touch so that we can discuss the matter and stop the recovery process.
Customer services team
PGS Services | Expert Property Care
Direct dial: 0203 819 7054
Visit our website: www.pgs-services.co.uk
10 quick questions – tell us what you think!
The embedded URL/button with “Click here to make a payment” leads to hxxps://www.pgs-services.co.uk/secure/pgs-payment.php?a=73329&b=3&c=6555&d=649a79cf0342f920d6b62e7f73777dc9&e=865c0c0b4ab0e063e5caa3387c1a8741 but so far we haven’t been able to make any connections.
The attached file 3-6555-73329-1435806061-3.doc is a 115 kB large Excel file with embedded malicious macro script that will download a trojan from a host.
The Word malware is known as LooksLike.Macro.Malware.gen!d3 (v), HEUR.VBA.Trojan.B or W97M.Dropper.KV.
At the time of writing, 4 the 55 AV engines did detect the trojan at Virus Total.
Use the Virus Total for more detailed information.
Update 01/12/2015 – 14:40:
The macro can download the trojan from the following locations:
The trojan can make connections to the following IPs:
The trojan is known as UDS:DangerousObject.Multi.Generic or QVM19.1.Malware.Gen.
The file 168 kB large file 9o8jhdw.exe is detected by 2 of the 55 AV engines did detect the trojan at Virus Total.