Email with subject “ACH Notification” comes from fake email address ADP Payroll and contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ACH Notification”.

This email is send from the spoofed address “ADP Payroll <Ola_Conrad@adp.com>” (note: on SMTP server level the from address is service@citibank.com) and has the following short body:

Attached is a summary of Origination activity for 10/09/2013
If you need assistance please contact us via e-mail during regular business hours.

Thank you for your cooperation.

The attached ZIP file has the name ACAS10092013_123521_2610.zip and contains the 23 kB large file ACAS10092013.exe (number combinationmay vary).

The trojan is known as UDS:DangerousObject.Multi.Generic or Trojan-Downloader.

At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 5c982a2664641cb78fe7a5c3f34f755c18642b057b817df024269cfc3efca586.

Malwr permalink and SHA256: 5c982a2664641cb78fe7a5c3f34f755c18642b057b817df024269cfc3efca586.

7 thoughts on “Email with subject “ACH Notification” comes from fake email address ADP Payroll and contains trojan

  1. I work for a company that uses this ADP as their pay service, and received this email. I was not willing to open with the .exe attached. Thanks for the rapid notification. I must be on the world largest spam list.

Comments are closed.