MX Lab, http://www.mxlab.eu, intercepted some emails with subject “Your Federal Tax Payment ID: 2636335 is failed” (numbers will change with each email) where the trojan is masked for the reader as a self extracting archive that will contains a PDF file.
The email is send from spoofed addresses and has the following body:
Your Federal Tax Payment ID: 901757127 has been rejected.
Return Reason Code R21 – The identification number used in the Company Identification Field is not valid. Please, check the information and refer to Code R21 to get details about your company payment in transaction contacts section:
report_177329.pdf.exe (self-extracting archive, Adobe PDF)
In other way forward information to your accountant adviser.
EFTPS: The Electronic Federal Tax Payment System
PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.
The embedded URL “report_177329.pdf.exe” leads to hxxp://corporate12banking.firm.in/report.pdf.exe and a 200 kB large file report.pdf.exe is downloaded.
The trojan is known as Spyware/Win32.Zbot or W32/Crypt.BBAL!tr.
At the time of writing, only 2 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 8a23b87b866909d6d3d7bc6b4e45784a519ab12a46d3ac70f55f42a6b7c10e3c.