MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invoice, Ref. 23128906” (number will vary with each email.
This email is send from the spoofed addresses and has the following body:
Dear Valued Customer,
We are very grateful for your purchase. The specified sum of $353,89 was paid and now your order is being processed by our company.
Delivery information and the invoice can be found in the attached file.
The attached file Invoice_ref-71034591.zip contains the 8 kB large file invoice_copy_nCQFPQ.js. Note that the filenames will vary with each email.
The malware is detected as JS/Downloader.Agent, HEUR:Trojan-Downloader.Script.Generic or HEUR_HTJS.HDJSFN by 3 of the 56 AV engines at Virus Total.
The trojan will be downloaded from the location:
The malware is detected as Backdoor.W32.Androm or QVM41.1.Malware.Gen by 2 of the 54 AV engines at Virus Total.