MX Lab, http://www.mxlab.eu, started to intercept a new malware distribution campaign by email with the subject “Voice Message from Outside Caller (2m 31s)”.
This email is send from the spoofed address “Peach Telecom <email@example.com>” and has the following body:
Voice Message Arrived on Friday, Aug 26 @ 8:50 AM
Name: Outside Caller
Duration: 2m 31s
*****.BE SV9100 InMail
In each email, the duration time changes and domain of the recipient is included at the end of the message.
The attached file Outside Caller 08-26-2016 784036b.zip contains the file 08-26-2016 69tthi05.wsf which is a Windows Script File. Filenames of the ZIP archive and extracted WSF will change with each email as well.
The malware is detected by 9/56 AV engines at Virus Total. Malwr analysis shows that more malware will be downloaded from hxxp://digho.web.fc2.com/nb20gjBV?jNpfJetYR=wCNyEp. Other URLs may be used in different variants.