Fake “HMRC Employer Alerts & Verification” email contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “HMRC Employer Alerts & Verification”.

This email is send from the spoofed address “HMRC <employers@alerts.hmrc.gov.uk>” and has the following body:

Thank you for your registration details which have been recorded for email alerts purposes only.

We expect to send you three email alerts a year – February, May and December.
These will give you the links to the latest Employer Bulletin and HMRC PAYE Tools (previously the Employer CD-ROM).

Please complete all relevant sections of the attached application form and attach the appropriate documents to confirm your identity.

** Do not reply to this email as this mailbox is unmonitored for incoming mail.

The attached ZIP file has the name HMRC_35F218F904.zip and contains the 95 kB large file HMRC Employer Alerts & Verification_00FF8024957__randon_numbers__5324.pdf.

The trojan is known as

At the time of writing, 5 of the 49 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 0a69b4f91f7d4009f6ddc1fab07a0140b21badb80e778fede4fac91d3ca3de2c

6 Responses to Fake “HMRC Employer Alerts & Verification” email contains trojan

  1. Frank Mander says:

    The att I received was named HMRC_1392128966.zip (62.8 KB)

  2. Pingback: Switching to the new website verification API | CompleteRanking.Com blog

  3. Chris Fielder says:

    For info- the email I received had slightly different wording:- “Reply to this email as this mailbox is monitored for incoming mail.” Otherwise all other details were as you advise. Thank you for publishing this-my anti virus wouldn’t let me open it anyway-but i it was still a relief that I didn’t have to waste time and energy trying to find out if it was important.

  4. Josie says:

    Thank you for posting this. I did think that the email was suspicious, but I wasn’t certain. I just wanted confirmation that the email was indeed unsafe. Thank you.

  5. Carly says:

    I received this and did not open the attachments. I did, however, foolishly reply to the email asking what it was about and why I had been sent this. Do you think I will now be at risk?

  6. dan says:

    i recieved this but i knew it was fake since it is a employer message yet i dont employ anyone


Get every new post delivered to your Inbox.

Join 1,584 other followers

%d bloggers like this: