A piece of malware identified by MX Lab as Gen:Variant.Strictor.49180 (Upatre) is being distributed with the aid of at least two different spam runs.
The first one relies on fake ADP invoice emails that purport to come from firstname.lastname@example.org. The bogus notifications read something like this:
“Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank. Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to email@example.com. For more details please see the attached file.”
The attached file is not an invoice, but a piece of malware.
For the second campaign, cybercriminals are abusing the name of Fiserv, a company that provides financial services technology. The emails carry the subject line “FW: Scanned Document Attached” and they read something like this:
“Protecting the privacy and security of client, company, and employee information is one of our highest priorities. That is why Fiserv has introduced the Fiserv Secure E-mail Message Center – a protected e-mail environment designed to keep sensitive and confidential information safe.
In this new environment, Fiserv will be able to send e-mail messages that you retrieve on a secured encrypted file. You have an important message from Debra_Drake@fiserv.com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai”
The same piece of malware is attached to these emails as well. The threat is disguised as a file called “FSEMC.Debra_Drake.zip.”
At the time of writing, most antivirus engines are capable of detecting the threat, so make sure your security solution is up to date.
Other antivirus engines detect Gen:Variant.Strictor.49180 as Gen:Variant.Zusy.79270 (Bitdefender), Win32/TrojanDownloader.Waski.A (ESET), Spyware.ZeuS (Malwarebytes), TrojanDownloader: Win32/Upatre.A (Microsoft) and Trojan.Zbot (Symantec). The threat is designed to download additional malware, such as the ZeuS banking Trojan, to infected machines.