Purchase order themed malspam email which has a .iso file attachment and a URL linking to an .iso file hosted at Dropbox. Iso file contains an embedded EXE (PO-3DAE9F0.exe) which calls out to 188.8.131.52 (Akamai). After initial assessment of threat it is believed to be Loki-bot, will update as needed.
May 7th 2018, 13:30:21.000
from baesystems[.]com (unknown [184.108.40.206])
Quotation and enquiry
“Dear Sir, Hope you received my previous email regarding our new order. Attached is our Updated quotation and P.O. Please check and give us your best Price. Looking forward to your response soon. thank you ACCOUNTS sent from my IPHONE”
type: ISO 9660 CD-ROM filesystem data ‘PO-3DAE9F0’
A google search for the reply-to returned one result for the domain Btcinvestors[.]org, the whois data is different at this time: