MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You’ve received a new fax”.
This email is send from the spoofed address and has the following body:
New fax at SCAN9106970 from EPSON by https://*******.com
Scan date: Tue, 16 Dec 2014 13:17:59 +0000
Number of pages: 2
Resolution: 400×400 DPI
You can secure download your fax message at:
(eFax Drive is a file hosting service operated by J2, Inc.)
The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr.
The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen.
At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.