Sponsored by..

Tuesday, 16 September 2014

"inovice 0293991 September" spam

This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.

Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September

Body text:
This email contains an invoice file attachment

The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54. The ThreatTrack report [pdf] and Anubis report show a series a DGA domains [pastebin]
 that are characteristic of Zbot, although none of these domains are currently resolving.

If your organisation can block .arj files at the mail perimeter then it is probably a good idea to do so.

No comments: