BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL.
The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file.
The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB.
The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack.
Last month, we posted a Trend Micro research, which revealed connections between BREDOLAB and FAKEAV and ZBOT. BREDOLAB has been used numerous times to deploy FAKEAV and ZBOT variants. Such behavior is similar to PUSHDO, which also led to the conclusion that PUSHDO and BREDOLAB were developed by the same cybercriminals. Our full report on BREDOLAB can be found here.
Trend Micro product users are protected from this threat through the Smart Protection Network.