Corporate eFax message with ZIP attachment contains trojan
August 29, 2013 7 Comments
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Corporate eFax message from “739-566-5544″ – 5 pages” (note: number will vary in each email).
The email is send from the spoofed address “eFax Corporate <firstname.lastname@example.org>” and has the following body:
You have received 5 pages fax at 2013-08-29 10:24:18 CST.* The reference number for this fax is latf1_did11-1944268383-7063244220-63.
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at email@example.com.
Thank you for using the eFax Corporate service! 2013 j2 Global, Inc. All rights reserved.eFax Corporate is a registered trademark of j2 Global, Inc.
The attached ZIP file has the name Fax_08292013_821.zip and contains the 17 kB large file Fax_08292013_821.exe.
The trojan is known as Trojan-Downloader.Win32.Agent (A) by Emsisoft.
At the time of writing, 1 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: e8c67da9c5d3bf233e8918a8b364ce65b7756e146217e36b6728193cf14072d6.