MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “ACH Notification”.
This email is send from the spoofed address “ADP Payroll <Ola_Conrad@adp.com>” (note: on SMTP server level the from address is firstname.lastname@example.org) and has the following short body:
Attached is a summary of Origination activity for 10/09/2013
If you need assistance please contact us via e-mail during regular business hours.
Thank you for your cooperation.
The attached ZIP file has the name ACAS10092013_123521_2610.zip and contains the 23 kB large file ACAS10092013.exe (number combinationmay vary).
The trojan is known as UDS:DangerousObject.Multi.Generic or Trojan-Downloader.
At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 5c982a2664641cb78fe7a5c3f34f755c18642b057b817df024269cfc3efca586.
Malwr permalink and SHA256: 5c982a2664641cb78fe7a5c3f34f755c18642b057b817df024269cfc3efca586.