Fake email from Paypal regarding Identity Issue contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Identity Issue #PP-355-669-458-212”

The email is send from the spoofed address “PayPal <service@paypal.com>” and has the following body:

We are writing you this email in regards to your PayPal account. In accordance with our “Terms and Conditions”, article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-2BAJF3EXU3J9

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.



This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP28084

Note that the ID PP number may vary with each email.

The attached ZIP file has the name IdentityForm.zip and contains the 24 kB large file IdentityForm.exe.

The trojan is known as Win-Trojan/Zpack.23552.F, TR/Crypt.XPACK.Gen, Trojan.Downloader.JQAR, Win32/TrojanDownloader.Small.PRL, W32/Trojan3.FWW, Trojan.Win32.Bublik.bdpe, Backdoor.Bot, Troj/Mdrop-FIO or TSPY_ZBOT.KNH.

At the time of writing, 18 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: d4ead44ff985efd5d1c1e19acfd309035bf0ce1959900ee394876b36029883e8.