Until recently these have been used to target specific “High Value” individuals and industries, primarily in USA & South Korea. Now they seem to be malspammed in a scatter gun approach and being sent to anybody and everybody.
They are still very badly detected and only have basic generic detections by a large number of Antiviruses and next gen Anti-Malware programs.
They are using a wide variety of subjects and lures, but basically keeping to the format of invoices or quotations. The attachments to the emails ( so far) all are zips with a fake PDF inside, something like “P.I #099880990 pdf.exe” with a double extension.
A couple of recent emails delivering this malware look like these. They are all non specific but just about generic enough to be believable to a small company or busy accounts office receiving these.
The fake PDF tries to contact various sites to either download more malware or post stolen information. So far all sites are giving me 404 unavailable. That might be because I have an IP in a non approved range, or the sites could genuinely have cleaned up before I saw the emails & started to investigate.
Today’s version VirusTotal| Hybrid Analysis | Anyrun Beta | Tries to contact these 3 sites ( none of which are responding ) I have to munge urls in these reports because some badly configured spam & malware filters are parsing plain text in these reports & creating links from them, then adding me to blacklists as a phishing, malware or botnet infected site.
As you can see from all these links they are an either compromised or recently set up domain then /na/?id= < long string>
The version I saw on Saturday 18 November2017 had these 2 links