MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice #62657921/58739D0D” (characters in the subject vary with each email).
This email is send from the spoofed address “Franklin Goff <GoffFranklin0252@everythingcreativedesigns.com>” and has the following body:
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.
Thank you for understanding.
The malware is detected as JS/Downldr.CZ.gen, JS/TrojanDownloader.Nemucod.CK, JS/Crypt.A!tr, BehavesLike.JS.ExploitBlacole.zv or Trojan.Script.Kryptik.dzcqji. by 5 the 54 AV engines at Virus Total.
New malware is downloaded from hxxp://18.104.22.168/87.exe?1.
The 426 kB large executable 87.exe will be downloaded
The malware is detected as UDS:DangerousObject.Multi.Generic, a variant of Win32/Injector.COFK, BehavesLike.Win32.PWSZbot.gc, PE:Trojan.Ransom-Tesla!1.A322 [F], Trojan.Win32.R.Agent.425984.E[h] by 6 of the 55 AV engines at Virus Total.