MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Order Status #240152”
This email is send from the spoofed addresses and has the following body:
We would like to thank you for your recent order.
Order Status updated on: 21/03/2016
Your Customer ID: 240152
Your Order ID: 653D7CAE43-M-2016
Invoice Number: 4329448
We received your order and payment on 17/03/2016
Your order details are attached.
Regional Sales Director
The attached file order_details_240152.zip contains the xx kB large folder order_details_240152 with the following files (click on the link for more details at Virus Total):
The file confirmation_d0987707.js (see Malwr for more information) contains the script that will download other malware to the local system:
The file is opened as text but when you add .exe to it, it becomes clear that this is a trojan.
The malware is detected as Win32.Trojan.WisdomEyes.151026.9950.9955, QVM20.1.Malware.Gen or PE:Malware.XPACK-HIE/Heur!1.9C48 [F] by 3 of the 56 AV engines at Virus Total.