MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “payment confirmation”.
This email is send from the spoofed addresses and has the following body:
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team.
VP Finance & Controller
The attached file is this time a RAR archive containing parts of the recipients email address in combination with words like “payment” plus a random number. Once extracted a folder with the file 556f0b08.js an F.
This campaign is currently very prominent in our global logs at MX Lab and has the same characteristics as the campaign “recent bill” and “Additional information needed“. Sources indicate that this ransomware is Locky.