Two new malspam campaigns have been detected through which the Agent Tesla malware and the IcedID banking trojan are being distributed. In the first campaign, an e-mail message was detected whose sender pretends to be an Italian company, addressed to Italian users. The theme of this email is a false sending of a purchase order; a .DAT file that contains a malicious .EXE executable file associated with the Agent Tesla malware. It delivers Agent Tesla.
The second campaign is meant to distribute the IcedID banking trojan. The email is almost devoid of text, suggesting to unzip the attached zip archive (“request.zip”). The archive contains a text document, “particulars_010.20.doc”, which starts the download of the second-stage of the malware through an AutoOpen macro from a domain that appears to be generated randomly. The second-stage, which appears as a file with the extension .cab (or .pdf in other cases), would hide inside a malicious DLL, containing the functionality of the malware.