After the fake email from Royal Mail regarding detained package a similar trojan distribution campaign appears with more or less the same lay out in the email that targets Mastercard holders with the subject “Important notification for a Mastercard holder”.
MX Lab, http://www.mxlab.eu, started to intercept this emails that are send from the spoofed address “MasterCard” and has the following body:
Important notification for a Mastercard holder!
Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your UK Bank debit card has been temporarily blocked, please fill document in attachment and contact us
© 1994-2013 MasterCard
Screenshot of the email body:
The attached ZIP file has the name MasterCard_D77559FFA7.zip and contains the 131 kB large file MasterCard_info_pdf_34857348957239509857928472389469812364912034237412893476812734.pdf.exe.
The trojan is known as PasswordStealer.Fareit, Trojan-PWS/W32.Tepfer.131072.HS, PE:Malware.Obscure/Huer!1.9E03, Troj/Agent-AFAZ or Trojan.DownLoader9.22851.
At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total.