MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Payment ACCEPTED M-395526”.
This email is send from the spoofed addresses and has the following body:
Please check the payment confirmation attached to this email.
The Transaction should appear on your bank in 2 days.
The attached file payment_document_395526.zip contains the 20 kB large folder payment_document_395526 with the following files inside:
The file document_1af115f7.js is detected as HEUR.JS.Trojan.b or JS/Downloader.gen.bi by 3 of the 54 AV engines at Virus Total.
The file payment_details_7fa41c.js is detected as HEUR.JS.Trojan.b or JS/Downloader.gen.bi by 3 of the 57 AV engines at Virus Total.
Note: numbers in the subject and filenames may change with each email.