Earlier this week, Avast's David Fiser wrote about the phishing campaign. One malicious email, which appeared to come from a “Maersk VietNam Limited” Gmail account, claimed to include direct links to the invoice.
Victims following the URLs believe they'll download a PDF file with additional information, Fiser wrote, but when the malicious file is executed, the "final vicious payload" is downloaded. Pony Stealer has previously been used to steal $220,000 worth of bitcoins from victims, Fiser noted.
In this campaign, the payload URL was downloaded from a compromised website, which attackers infected with a backdoor. Fiser advised administrators to secure their server using security best practices to prevent their sites from being used for hackers' exploits.