MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Important Documents”.
This email is send from the spoofed address “Charlie Egan <Charlie.Egan@wellsfargo.com>” and has the following body:
Please check out your latest account documents.
Level III Security Officer
817-607-0621 cell Charlie.Egan@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
The attached file Important_Documents.zip contains the 37 kB large file Important_Documents.exe.
The trojan is known as Virus.Win32.Heur.c, UDS:DangerousObject.Multi.Generic, BehavesLike.Win32.Yahlover.nt or Upatre.FN.
At the time of writing, 8 of the 57 AV engines did detect the trojan at Virus Total.