TR/Crypt.ZPACK.Gen trojan in fake New Fax Message email from RingCentral


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Fax Message on 02/12/2013” (while we are already the 17th!).

This email is send from the spoofed address “Floyd Mack <info@ast-consulting.ru>” and has the following body:

From: (616) 302-2551
Received: Wednesday, February 12, 2014 at 11:33 AM
Pages: 8
To view this message, please open the attachment

Thank you for using RingCentral.

A screenshot of the email:

The attached ZIP file has the name fax.zip and contains the 18 kB large file fax.pdf.exe.

The trojan is known as TR/Crypt.ZPACK.Gen, HEUR/Malware.QVM07.Gen or Win32:Malware-gen and can start servers to listen, changes the local firewall policies, will run at startup and make HTTP requests.

At the time of writing, 4 of the 50 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: fa6b3964d478a6af32b63d06395e74d87e1accfa8521db0a372c7c2e047bc684