Trend Micro researchers encountered a spam campaign referencing the Australian health insurance brand Medicare. The attachment, which Trend Micro detects as Trojan.X97M.URSNIF.THDAEBO, downloads the malicious file (detected as TrojanSpy.Win32.URSNIF.THDAEBO). The campaign aims to spread the spyware Ursnif, also known as Gozi.
The email headers pertain to payment transactions with the words “Statement,” “Invoice,” or “Transaction,” and include a supposed transaction number:
- RE: Statement 21833187
- RE: Invoice 187790985
- RE: Transaction 1214860391
Source: Trend Micro