MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:
Get your parcel
Please get your parcel
Print your postal label
Your delivery status is changed
You need to get a parcel
Your package is available for pick up
Your parcel is given for the safekeeping
…
The email is send from the spoofed address “USPS Service <delivery_nr148@usps.com>, “US Postal Service <sup_401@usps.com>”,….. and has the following body:
Notification,
Our company’s courier couldn’t deliver your parcel.
Status/The weight of parcel is exceed the available parameters for free delivery.LOCATION:Santa Ana
STATUS OF YOUR PARCEL: not delivered
SERVICE: Expedited Shipping
ITEM NUMBER:U866783853NU
INSURANCE: YesPostal label is enclosed to the letter.
You should print the label and show it in the nearest post office to get a parcel.Information in brief:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $5.83 for each day of keeping of it.You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for attention.
USPS Logistics Services.
The attached ZIP file has the name Label_Parcel_USPS_ID.45-123-14.zip and contains the 24 kB large file Label_Parcel_USPS_ID.45-123-14.exe (number may vary in the file names with each new email).
The trojan is known as Gen:Variant.Barys.961 (BitDefender), W32/Trojan3.DLI (F-Prot), W32/Kryptik.AEKY!tr (Fortinet), Trojan-Dropper.Win32.Dapato.axrl (Kaspersky), Win32/TrojanDownloader.Zortob.A (NOD32), Troj/Bredo-VW (Sophos).
At the time of writing, 20 of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 8e7ff2a157e9e2279154cfda27c67abefc14cc6026bdc319635f42208c2216f6.
