MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Incoming Transaction Declined ID: 92002325”.
This email is send from the spoofed addresses and has the following body:
Sender’s Details: 92002325
ACH Routing / Transit Number: 221323588
The incoming transaction (ID:92002325) has been declined by your bank.
Please, do no reply to this e-mail. See attachment for a detailed report.
Screenshot of the email:
The attached file money_92002325.zip contains the 8 kB large file details_mTvxQh.js.
The malware is detected as HEUR.JS.Trojan.b, JS:Exploit.JS.Agent.JL (B), JS/Agent.TU!Eldorado, Win32.Outbreak, or Js.Trojan.Raas.Auto by 6 of the 57 AV engines at Virus Total.
The payload is downloaded from:
The malware is detected as Ransomware-FGN!57117A0BD632 by 3 of the 55 AV engines at Virus Total.