MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Reference Number #10207614, Last Payment Notice” (numbers in the subject will vary).
This email is send from the spoofed address “Raul Booth <BoothRaul64156@bulshit.org>”, is signed by Paul Booth from the company Foreman&Clark Ltd.
The email has the following body:
This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $6,137.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.
256 Raccoon RunSeattle,
The malicious script is known as JS/Downldr.CZ.gen or JS/Downldr.CZ.gen.
At the time of writing, 3 of the 53 AV engines did detect the malware at Virus Total.
The file 336 kB large file 80.exe will be downloaded from 22.214.171.124/80.exe?1 in our sample.
The malware is known as Trojan.Win32.Swizzor.1!O, HEUR/QVM10.1.Malware.Gen or Mal/Wonton-BX.
At the time of writing, 3 of the 54 engines did detect the malware at Virus Total.