MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Payroll invoice”
This email is send from the spoofed address “email@example.com” and has the following body:
A copy of your ADP TotalSource Payroll Invoice for the following payroll is is attached in PDF file and available for viewing.
Week No: 08
Payroll No: 1
Please open attached file to view and check following payrol
This email was generated by an automated notification system. If you have any questions regarding the invoice or you have misplaced your
MyTotalSource login information, please contact your Payroll Service Representative. Please do not reply to the email directly.
© 2013 Automatic Data Processing, Inc.
The attached ZIP file has the name invoice.zip and contains the 137 kB large file invoice_2034837510_293mw.pdf.exe.
The trojan is known as Spyware/Win32.Zbot, Generic9_c.BJAJ, BackDoor.Maxplus.13119, Win32.Troj.Generic.a.(kcloud), Backdoor.Win32.ZAccess.elaw, Trojan:Win32/Sirefef.P and others.
At the time of writing, 24 of the 48 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 0e12d76d30e2fbc20ce938d6bdafecfbbe232f55156ac3bed910eb702b06bdf0.