MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fiserv Secure Email Notification – 4634340”.
This email is send from the spoofed address “Fiserv Secure Notification <email@example.com>” and has the following body:
You have received a secure message
Read your secure message by opening the attachment, Incident_4634340.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password – ISU8sSG2pLL
To read the encrypted message, complete the following steps:
– Double-click the encrypted message file attachment to download the file to your computer.
– Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
– The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to firstname.lastname@example.org to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.128.1659.
2000-2014 Fiserv Secure Systems, Inc. All rights reserved.
The password protected attached ZIP file has the name Incident_4634340.zip and contains the 27 kB large file Incident-04282014.scr.
The trojan is known as Trojan.Agent.BCTH, TR/Dropper.Gen2, Win32/Kryptik.CATQ, Trojan.Email.FakeDoc or Troj/Agent-AGWZ.
At the time of writing, 10 of the 51 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.