Reference: CERT-EU Security Advisory 2014-249 Title: Malware distribution to German-speaking users Version history: 12.11.2014 Initial publication. Dear Colleagues, Overview: CERT-EU has identified a malware distribution and fraud campaign with focus on german-speaking users. Large amounts of e-mails are delivered to users that pose as invoices from telecoms or other service providers with objective to entice user into opening link that delivers zip file [1] with executable file in it [2]. Details: Some e-mails were sent from: u.schmidt@cc-schmidt.de gerhard-appelshaeuser-at@server1-1.yourserver.de info@hofgemeinschaft-aschhorn.de ania@vip-art.com.pl office@boxberlin.com chrimpakis@apwohnbau.com Some of the URLs hosting malicious files: hxxp://rudeendev.com/Rpav3ByLC hxxp://htcny.com/JvxsYacBnS hxxp://wordpress.afcvbb.de/y89rpkqwR hxxp://ekoride.co.uk/jcTLGYR8 hxxp://expertdemolition.ca/wnLgFBCZsI hxxp://garde-enfants-paris.com/ovh/js/E0WL1f9x5/E0WL1f9x5/E0WL1f9x5/E0WL1f9= x5/E0WL1f9x5/ERWfhJMl5C Sample e-mail body: --- Sehr geehrte Kundin, sehr geehrter Kunde, Ihre aktuelle Rechnung f=C3=BCr Ihre Kundennummer 27647 vom 11.11.2014 steh= t im PDF-Format f=C3=BCr Sie bereit. Rechnung_2014_11_818290000027647.zip. In Ihrem Account finden Sie alle Ihre Rechnungen in der Rechnungs=C3=BCbers= icht. Der sofort f=C3=A4llige Gesamtbetrag von EUR 181,78 wird Ihrem Konto in K= =C3=BCrze belastet. Mit freundlichen Gr=C3=BC=C3=9Fen Ihre Telekom --- References: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [1] http://urlquery.net/report.php?id=3D1415781490783 [2] https://www.virustotal.com/en/file/586ee2c334dff3ada56930d7de90999634893495= ba8acd524273b955303b23fd/analysis/1415781537/ Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html