March 7, 2016
MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Order Confirmation – Payment Successful, Ref. 42400838”.
This email is send from spoofed addresses and has the following body:
Thank you for your transaction of $295,75. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
Double check please the document enclosed to this email.
Thank you for your order and we hope to see you again as our customer.
97 N Forks Ave,
Forks, WA 26695
The attached file Invoice_ref-97471524.zip contains the 4 kB large file invoice_copy_LcMegn.js.
The nr in the email, the filemanes and the persons name in the signature will change with each email.
The malware is detected as JS/Downloader.Agent, HEUR.JS.Trojan.b or Win32.Trojan.Raas.Auto by 3 of the 55 AV engines at Virus Total.