MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your order #47994403 – Corresponding Invoice #7704B491”.
This email is send from the spoofed address “Jose Soto <SotoJose85350@gd-avocat.ch>” and has the following body:
Dear Valued Customer,
We are pleased to inform you that your order #47994403 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don’t hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
We look forward to your remittance and will the dispatch the goods.
Thank you for choosing our services we sincerely hope to continue doing business with you again.
Sales Department Manager
2715 Sycamore Road
Nyssa, OR 97913
The malicious script is detected as S/Downldr.CZ.gen or BehavesLike.JS.ExploitBlacole.zv. by 2 of the 55 AV engines did at Virus Total.
Update 09/12/2015 – 15:55:
The 360 kB large executable is detected as Win-Trojan/Teslacrypt.Gen, HW32.Packed.323C, BehavesLike.Win32.Downloader.fh or QVM20.1.Malware.Gen by 4 of the 54 AV engines did at Virus Total.