This weekend we've seen a couple of runs with Feebs variants. This time the malicious Javascript HTA files have been attached in ZIPs to image spam e-mails. The spam itself advertises some penny stocks (Aerofoam Metals AFML). We detect these as Feebs variants.

Then there's been a new Rechnung spam run in German-speaking countries. Masquerading as a bill from the "1&1" ISP, the e-mails look like this:



We now detect the attachment as Backdoor.Win32.Agent.akf.

Updated to add: We have now seen same spam e-mails but with a different attachment, now detected as W32/Haxdoor.LQ or Backdoor.Win32.Haxdoor.jw. This variant tries to steal credentials for various banks located in Germany, Austria, Poland, and Sweden.