Fiserv Secure Email Notification email with password protected file contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fiserv Secure Email Notification – 4634340”.

This email is send from the spoofed address “Fiserv Secure Notification <secure.notification@fiserv.com>” and has the following body:

You have received a secure message

Read your secure message by opening the attachment, Incident_4634340.zip.

The attached file contains the encrypted message that you have received.
To decrypt the message use the following password – ISU8sSG2pLL

To read the encrypted message, complete the following steps:

– Double-click the encrypted message file attachment to download the file to your computer.
– Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
– The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.128.1659.

2000-2014 Fiserv Secure Systems, Inc. All rights reserved.

The password protected attached ZIP file has the name Incident_4634340.zip and contains the 27 kB large file Incident-04282014.scr.

The trojan is known as Trojan.Agent.BCTH, TR/Dropper.Gen2, Win32/Kryptik.CATQ, Trojan.Email.FakeDoc or Troj/Agent-AGWZ.

At the time of writing, 10 of the 51 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: d924e913813168c148da35c2a030de525b414c3e4455e4fa354c56bff3e5677a.