Gootkit banking trojan is still being distributed via the Mailgun SMTP sending service, using Microsoft’s One drive business file hosting service to deliver the malicious macro enabled word docs that in turn download the gootkit banking trojan payload from another site. These use compromised mail accounts or websites to relay emails via the Mailgun SMTP relay service so they stand a better chance of being accepted by the receiving email recipient.
I don’t know whether they are using a compromised email account, that is stolen email credentials or whether they have hacked or compromised the website for facewebinar.com and are using the Mailgun api interface to send the malware laden spam. I am guessing from the email headers it is more likely to be stolen email credentials.
An email with the subject of Account Invoice # 1373465 coming from firstname.lastname@example.org with a HTML attachment that when opened will download a malicious word doc from a compromised or fraudulently set up one drive hosting account that in turn delivers the gootkit banking trojan.
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
To read the origianal article