MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Additional Information Needed #*****” (with different numbers).
This email is send from the spoofed addresses and has the following body:
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
The attached file is a ZIP archive containing parts of the recipients email address in combination with words like “copy” or “invoices” plus a random number.
These unzip into a folder called “letter” to give a .js file beginning with “letter_” and a .wrn file which also appears to be a script but which won’t run by default.
The malware is detected by 1/56 AV engines at Virus Total.
Additional malware/ransomware can be downloaded from the following locations: