MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “You have received a new secure message”.
This email is send from the spoofed address “Dylan A Scheffel <Dylan.A.Scheffel@jpmorgan.com>” and has the following body:
This is a secure, encrypted message.
Open the attachment (message_zdm.html) and follow the instructions.
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Personal Security Image
Your personalized image for: email@example.com
This personal security image will appear on secure email to you.
Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved
The attached file message_zdm.zip contains the 36 kB large file message_zdm.exe.
The trojan is known as Trojan.DownLoader11.53284, Upatre.FN, Troj/Agent-AKUU or HB_Arkam.
At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total.