MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Fiserv Secure Email Notification – 8715217”.
This email is send from the spoofed address “Fiserv Secure Notification <email@example.com>” and has the following body:
You have received a secure message
Read your secure message by opening the attachment, SecureFile.zip.
The attached file contains the encrypted message that you have received.
To read the encrypted message, complete the following steps:
– Double-click the encrypted message file attachment to download the file to your computer.
– Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
To access from a mobile device, forward this message to firstname.lastname@example.org to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.362.9972.
2000-2015 Fiserv Secure Systems, Inc. All rights reserved.
The attached file SecureFile8715217.zip contains the 37 kB large file SecureFile.exe.
The trojan is known as Virus.Win32.Heur.c, W32/Upatre.E3.gen!Eldorado, UDS:DangerousObject.Multi.Generic or Trojan.Win32.Qudamah.Gen.5.
At the time of writing, 8 of the 56 AV engines did detect the trojan at Virus Total.