Just starting to see the second run of today’s Trickbot downloaders coming in. Same sites and payload as the earlier run. This later one comes from noreply@random email addresses. ( all spoofed) Has a blank subject line and a zip attachment containing a VBS file

One of the email looks like:

From: [email protected]

Date: Tue 18/07/2017 11:25


Attachment: doc00042714507507789135.zip

Body content:

Your Payment is attached.

doc00042714507507789135.zip extracts to doc000799723147922720821.vbs Current Virus total detections: Payload Security shows a download of an encrypted text file from http://pluzcoll.com/56evcxv? which is converted to nbVXsSxirbe.exe ( VirusTotal)