Just starting to see the second run of today’s Trickbot downloaders coming in. Same sites and payload as the earlier run. This later one comes from noreply@random email addresses. ( all spoofed) Has a blank subject line and a zip attachment containing a VBS file
One of the email looks like:
Date: Tue 18/07/2017 11:25
Your Payment is attached.
doc00042714507507789135.zip extracts to doc000799723147922720821.vbs Current Virus total detections: Payload Security shows a download of an encrypted text file from http://pluzcoll.com/56evcxv? which is converted to nbVXsSxirbe.exe ( VirusTotal)