The malware is attached to emails sent out by cybercriminals

Jan 15, 2014 13:56 GMT  ·  By

A piece of malware identified by MX Lab as Gen:Variant.Strictor.49180 (Upatre) is being distributed with the aid of at least two different spam runs.

The first one relies on fake ADP invoice emails that purport to come from [email protected]. The bogus notifications read something like this:

“Attached is the invoice (Invoice_ADP_3164342.zip) received from your bank. Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to [email protected]. For more details please see the attached file.”

The attached file is not an invoice, but a piece of malware.

For the second campaign, cybercriminals are abusing the name of Fiserv, a company that provides financial services technology. The emails carry the subject line “FW: Scanned Document Attached” and they read something like this:

“Protecting the privacy and security of client, company, and employee information is one of our highest priorities. That is why Fiserv has introduced the Fiserv Secure E-mail Message Center – a protected e-mail environment designed to keep sensitive and confidential information safe.

In this new environment, Fiserv will be able to send e-mail messages that you retrieve on a secured encrypted file. You have an important message from [email protected]. To see your message, use the following password to decrypt attached file: JkSIbsJPPai”

The same piece of malware is attached to these emails as well. The threat is disguised as a file called “FSEMC.Debra_Drake.zip.”

At the time of writing, most antivirus engines are capable of detecting the threat, so make sure your security solution is up to date.

Other antivirus engines detect Gen:Variant.Strictor.49180 as Gen:Variant.Zusy.79270 (Bitdefender), Win32/TrojanDownloader.Waski.A (ESET), Spyware.ZeuS (Malwarebytes), TrojanDownloader: Win32/Upatre.A (Microsoft) and Trojan.Zbot (Symantec). The threat is designed to download additional malware, such as the ZeuS banking Trojan, to infected machines.