Fake email regarding rejected tax payment for the IRS contains Upatre.FH trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your FED TAX payment (ID:O3TIRS728028489) was Rejected” ( ID may vary in each subject line).

This email is send from the spoofed address “TAX@irs.gov” <tax@irs.gov> and has the following body:

*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: O3TIRS728028489), recently sent from your checking account was returned by the your financial institution.

For more information, please download attached notification. (Security Adobe PDF file)

Transaction Number: O3TIRS728028489}

Payment Amount: $ 5146.52
Transaction status: Rejected ACH Trace Number: 1111111111 Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service
Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

The attached file FEDERAL_tax_notify.zip contains the 23 kB large file FEDERAL_tax_notify.scr.

The trojan is known as or Upatre.FH or HEUR/QVM06.1.Malware.Gen.

At the time of writing, 2 of the 55 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: fabbd25da4711c9a8a3be021e71fc2597e1e22904b38beb322b91302f05ca0bb