MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:
Ezekiel Francis your agent FEDEX
Bullock, Tiger P. agent FEDEX
Quin Greer FEDEX company
This email is send from the spoofed address “FEDEX TRACK <******@care.it>”, FEDEX INFO <firstname.lastname@example.org> or “FEDEX INFO <email@example.com>” and has the following body:
We attempted to deliver your package on December 2th, 2014, 10:50 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the invoice that is attached to this email and visit Fedex location indicated in the receipt.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 45675665665
Expected Delivery Date: December 2th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Copyright© 2014 FEDEX. All Rights Reserved.
*** This is an automatically generated email, please do not reply ***
The attached file Package.zip contains the 180 kB large file 45675665665.scr.
The trojan is known as Win32:Trojan-gen, a variant of Win32/Injector.BQTY, TR/Crypt.Xpack.78830 or W32/BQOC!tr.
At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total.