MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Re:”.
This email is send from the spoofed addresses and has the following body:
Good evening Harris,
As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.
The attached file details_xls_A72.zip contains the folder details_xls_A72 with the following files:
transactions 29871684 – copy.js
transactions 29871684 – copy (2).js
The malware is detected by 10/55 AV engines at Virus Total.
Note that the filenames of the ZIP archive, the extracted folder and the decompressed files may vary with each email.