Fake ADP Invoices and Fiserv Documents Used to Distribute Upatre Malware

Most antiviruses can detect the malware

A piece of malware identified by MX Lab as Gen:Variant.Strictor.49180 (Upatre) is being distributed with the aid of at least two different spam runs.

The first one relies on fake ADP invoice emails that purport to come from payroll.invoices@adp.com. The bogus notifications read something like this:

“Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank. Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to payroll.invoices@adp.com. For more details please see the attached file.”

The attached file is not an invoice, but a piece of malware.

For the second campaign, cybercriminals are abusing the name of Fiserv, a company that provides financial services technology. The emails carry the subject line “FW: Scanned Document Attached” and they read something like this:

“Protecting the privacy and security of client, company, and employee information is one of our highest priorities. That is why Fiserv has introduced the Fiserv Secure E-mail Message Center – a protected e-mail environment designed to keep sensitive and confidential information safe.

In this new environment, Fiserv will be able to send e-mail messages that you retrieve on a secured encrypted file. You have an important message from Debra_Drake@fiserv.com. To see your message, use the following password to decrypt attached file: JkSIbsJPPai”

The same piece of malware is attached to these emails as well. The threat is disguised as a file called “FSEMC.Debra_Drake.zip.”

At the time of writing, most antivirus engines are capable of detecting the threat, so make sure your security solution is up to date.

Other antivirus engines detect Gen:Variant.Strictor.49180 as Gen:Variant.Zusy.79270 (Bitdefender), Win32/TrojanDownloader.Waski.A (ESET), Spyware.ZeuS (Malwarebytes), TrojanDownloader: Win32/Upatre.A (Microsoft) and Trojan.Zbot (Symantec). The threat is designed to download additional malware, such as the ZeuS banking Trojan, to infected machines.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s