MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Thank you for scheduling your online payment”.
This email is send from the spoofed address “user <email@example.com>” and has the following body:
Thank you for scheduling your recent credit card payment as an attachment. Your payment in the amount of 3898.96 will be credited to your credit card account (CREDIT CARD) ending in 6603 on 04/07/2015.
Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?
See statements – Choose to stop receiving paper statements, and see up to six years of your statements online.
See automatic payments – Set up monthly payments to be made automatically.
Transfer a balance – Transfer a balance to your credit card account.
Go to Personalized Alerts – Schedule Alerts to remind you of key account activity.
You can also see past payments you’ve made online by logging on to http://www.chase.com/creditcards and clicking “See/cancel payments” under “I’d like to …”
If you have questions, please call the Customer Service number on the back of your credit card.
Thanks again for using online payments.
Screenshot of the message:
The attached file payment-6603-oMjo.zip contains the 42 kB large file payment.exe.
The trojan is known as Upatre-FAAR!AF3E7DE0EB61, Trojan.Win32.YY.Gen.3, Troj/DwnLdr-MJQ or Win32.Malware!Drop.
At the time of writing, 13 of the 57 AV engines did detect the trojan at Virus Total.