MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Invitation letter”.
This email is send from the spoofed address “xxxxx ” and has the following body:
In the attached file you find the requested invitation letter.
If you have any questions, please do not hesitate to contact me.
The attached file invitation_c0e2ffb3a.zip contains the file employees -8569-.js.
The malware is detected by 10/57 AV engines at Virus Total. Malwr analysis shows that additional malware in the form of a binary file c9ertm7m is downloaded from the location hxxp://nalvazhvagam.com/c9ertm7m. Adding the file extension. exe to the file makes it complete.
Note that the names in the email and file names of the ZIP archive, extracted and downloaded files will change with each email.