MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Fax Message on 02/12/2013” (while we are already the 17th!).
This email is send from the spoofed address “Floyd Mack <firstname.lastname@example.org>” and has the following body:
From: (616) 302-2551
Received: Wednesday, February 12, 2014 at 11:33 AM
To view this message, please open the attachment
Thank you for using RingCentral.
A screenshot of the email:
The attached ZIP file has the name fax.zip and contains the 18 kB large file fax.pdf.exe.
The trojan is known as TR/Crypt.ZPACK.Gen, HEUR/Malware.QVM07.Gen or Win32:Malware-gen and can start servers to listen, changes the local firewall policies, will run at startup and make HTTP requests.
At the time of writing, 4 of the 50 AV engines did detect the trojan at Virus Total.