In last days D3Lab identified a malspam campaign which simulate a communication about invoices and payments to spread malware with the aim to steal sensitive data from Ms Windows devices.
The malware is downloaded, from a probably compromised domain, and executed by a Microsoft Exel macro attached to the mail, clearly these actions require a users interaction.
The malware uses SMTP protocol to send stolen credentials towards command and control servers identified by domain names made ad-hoc for this malspam campaign. This escamotage allows to escape superficial network traffic control using believable domain names capable to deceive network controller operators, letting the malware talking with C&C servers.
Since Aprile the 1st we identified eleven malware versions . The difference is in the SMTP server used to send stolen credentials and we suppose each file has been made to hit different countries.