MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your FED TAX payment (ID:O3TIRS728028489) was Rejected” ( ID may vary in each subject line).
This email is send from the spoofed address “TAX@irs.gov” <firstname.lastname@example.org> and has the following body:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: O3TIRS728028489), recently sent from your checking account was returned by the your financial institution.
For more information, please download attached notification. (Security Adobe PDF file)
Transaction Number: O3TIRS728028489}
Payment Amount: $ 5146.52
Transaction status: Rejected ACH Trace Number: 1111111111 Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service
Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.
The attached file FEDERAL_tax_notify.zip contains the 23 kB large file FEDERAL_tax_notify.scr.
The trojan is known as or Upatre.FH or HEUR/QVM06.1.Malware.Gen.
At the time of writing, 2 of the 55 AV engines did detect the trojan at Virus Total.