New Javascript malware in ZIP archive by email message with subject “Re:”


MX Lab, http://www.mxlab.eu, started to intercept a new large malware distribution campaign by email with the subject “Re:”.

This email is send from the spoofed addresses and has the following body:

Dear carlasvhue:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Sincerely,
Lynnette Fernandez
Executive Director Finance & Information Systems

The attached file services_carlasvhue_451648.zip (format name_recipient_numbers.zip) contains the file addition-029.js (format addition_number.js). This file contains an obfuscated Javascript.

The malware is detected as Js.Trojan.Raas.Auto or  virus.js.gen.85 by 2/55 AV engines at Virus Total.