MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “2015 PMQ agreement”.
This email is send from the spoofed address “firstname.lastname@example.org” and has the following body:
I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.
Watch our 2015 PMQ Media Kit here: http://www.pmq.com/2015-PMQ-Media-Kit/
PMQ Pizza Magazine
Linda Green / Co-Publisher
(662)234-5481 ext 121 / email@example.com
PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
605 Edison Street, Oxford, MS 38655
Don’t forget to renew your subscription to the magazine at http://www.pmq.com/Subscribe-PMQ/
The attached file American_Wholesale.zip contains the 12 kB large file American_Wholesale.exe.
The trojan is known as Trojan/Win32.Upatre, Upatre-FAAR!D8D4189A5364, Trojan.Agent/Gen-Downloader or Win32.Trojan.Downloader-pdf.Auto.
At the time of writing, 8 of the 57 AV engines did detect the trojan at Virus Total.