MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “401k June 2014 Fund Performance and Participant Communication” regarding a Fidelity fund performance report.
This email is send from the spoofed address “Cora Mccracken <CoraMccracken@fidelity.com>” and has the following body, see below. Note that the subject speaks regarding a report for June while the body of the email and attached ZIP archive are using October so I assume that this is a small mistake.
Co-op 401k Plan Participants –
Attached you will find the October 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
Please contact me if you have any questions.
Employee Benefits/Plan Administrator
The attached ZIP file has the name October-2014-401k-Fund.zip and contains the 23 kB large file October-2014-401k-Fund.scr.
The trojan is known as Win32.Malware!Drop, W32/Trojan3.LNK, Trojan.Upatre.100, W32/Trojan.DXKV-8011 or Win32/TrojanDownloader.Waski.A.
At the time of writing, 12 of the 54 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink for more detailed information.