MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Invoice from DATANET the Private Cloud Solutions Company”.
This email is send from the spoofed address “Holly Humphreys <Holly.Humphreys@datanet.co.uk>” and has the following body:
Dear Accounts Dept :
Your invoice is attached, thank you for your business.
If you have any queries please do not hesitate to contact us.
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday
Please reply to Accounts@datanet.co.uk
Datanet – Hosting & Connectivity
01252 813396 – Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24×7
DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of “CIA” – “Confidentiality, Integrity and Availability” at the heart of our private cloud solutions.
Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.
Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England – No. 03214053
The attached file named C/\Users\HOLLY~1.HUM\AppData\Local\Temp\Inv_107666_from_DATANET.CO..xls is an Excel sheet with malicious macro.
The malicious Excel sheet is detected as LooksLike.Macro.Malware.gen!x3 (v) or heur.macro.download.cc by 3 of the 55 engines at Virus Total.
The macro will download the following file:
The trojan is known as HEUR/QVM10.1.Malware.Gen by 1 of the 52 AV engines at Virus Total.
Use the Virus Total for more detailed information.