Server upgrade spam redux

Two days ago my colleague Pob blogged about a run of  high-volume server upgrade spam with a link to a Zbot executable. Today a similar campaign has shown up at our spamtraps, this time with the malware attached instead of linked.  The spam idea is similar, but is of note because the domain of the recipient is liberally sprinkled throughout the message. This gives a false sense of legitimacy to the spam messages.

The email is as follows:

Subject: A new settings file for the address@domain has just be released

Dear use of the domain mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox address@domain settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, domain Technical Support.

Unlike the previously mentioned malware campaign, where the “From” address is system-administrator@domain, this time the “From” name is randomized and the “From” address is identical to the recipient address.

The volume of this campaign is quite high as this campaign accounts for the majority of the attached malware we currently monitor:

Detection-wise, Sophos anti-spam products proactively detected the spam campaign. On the anti-virus side, the attached file is also proactively detected as Mal/EncPk-KP.