New Javascript malware: FW: Overdue Incoices


MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “FW: Overdue Incoices”.

This email is send from the spoofed addresses and has the following body:

Dear les,

Please find attached copy updated statement as your account has 3 overdue incoices.
Is there any reasons why they haven’t yet been paid?

Best Wishes,
Madelyn Battle
Chief Technology Officer

Dear f4df8ad61eb63ca,

Please find attached copy updated statement as your account has 3 overdue incoices.
Is there any reasons why they haven’t yet been paid?

Best Wishes,
Debora Santos
Head of Corporate Relations

The attached file les_invoices_567347.zip contains the following files:

0Xb.files
SCN372153.txt.js
SCN2466140.txt – copy.js
SCN2466140.txt.js
u228.fil
wV18.file

The filename of the ZIP archive and extracted files changes with each email.

Only the javascript files are detected by 2/58 AV engines at Virus Total. More details for the files 1 | 2 | 3 | 4 | 5. More details for the Malwr analysis for the files SCN372153.txt.js | SCN2466140.txt – copy.js.

Other malware is downloaded from: hxxp://www.cloudfire.pt/l3iska

The malware is detected by 6/58 AV engines at Virus Total and the analysis is available on Malwr.