Tuesday, 16 September 2014
"inovice 0293991 September" spam
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
This email contains an invoice file attachment
The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54. The ThreatTrack report [pdf] and Anubis report show a series a DGA domains [pastebin]
that are characteristic of Zbot, although none of these domains are currently resolving.
If your organisation can block .arj files at the mail perimeter then it is probably a good idea to do so.