WorldPay emails contain attached mailware

Take extra attention when receiving messages with the subject ”WorldPay CARD transaction Confirmation” claiming that your invoice is attached to the email as a ZIP file.

MX Lab intercepted emails with malware attached. The From address doesn’t belong to WorldPay at all and is spoofed randomly. This is the contents of the body:

Thank you!

Your transaction has been processed by WorldPay, on behalf of Amazon Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Amazon Inc has received your order,
and will inform you about delivery.

Sincerely, 
Amazon Team

This confirmation only indicates that your transaction has been processed successfully. 
It does not indicate that your order has been accepted. 
It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered.

The malware is known as Trojan-Spy:W32/Zbot.OSK (F-Secure), Trojan-Spy.Win32.Zbot.sot (Kaspersky), PWS:Win32/Zbot.M (Microsoft) or Mal/EncPk-HZ (Sophos).

The threat has the characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

VirusTotal permlink and MD5: d4131d5a287bce49ddb3a4f9db7e7dc1.