Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    10:06 am (UTC-7)   |    by

    Surprised, or excited perhaps, at the unexpected “package” sent to you by someone you do not really know? Don’t get too carried away. A little caution wouldn’t hurt.

    Our analysts have been catching spam samples pretending to come from the United Parcel Service Inc. (UPS) to lure users since last week. UPS is one of the world’s largest package delivery companies, so this spam run, which informs users that a package has been sent to them, has a lot going for it in terms of hauling in gullible users. These messages come with fake tracking numbers that actually vary from email to email, a nifty trick meant to help the email messages appear almost authentic.

    Here’s a screenshot of the spammed email:

    Fake UPS Email

    This spam run was seen in certain European countries. The messages carry .ZIP files as attachments, which when unzipped contain an .EXE file (mostly ups_invoce.exe detected as TSPY_ZBOT.NM). A nasty info stealer, TSPY_ZBOT.NM, connects to a site to download a file containing the sites that it will attempt to monitor. As of this writing, the file contains links to the legitimate sites of Bank of America and Natwest Online Banking. Since the file is in a remote location, the malware writer can update the file anytime to include new victim sites.

    This week TrendLabs researchers also discovered a seemingly separate (but eerily familiar) spam run. This one also pretends to be from UPS and uses a .ZIP extension. However, the real file type of the attachment is .RAR. The Trojans attached are detected as TROJ_DLOADR.GG (and have less in common with the ZBOT variant in the earlier illustration). The following are samples:

    Above German email messages translate to the following:

    Subject: UPS Paket N3553756192

    Good Day,

    Unfortunately, we were not able to deliver the postal package you sent on July the 1st in time because the recipient’s address is not correct.

    Please print out the invoice copy attached and collect the package at our office

    Your UPS

    Advanced Threats Researcher Alice Decker confirms that when the file is executed, it attempts to connect to http://{BLOCKED}, where it presumably sends stolen information. It then gets updates from a source in Germany that seems to be an infected valid Web host. While it is active, the malware drops several files that seem to contain encrypted user information. It also drops a copy of itself as %System32%unserinit.exe renaming the original file to userini.exe . Even the automatic Windows Update feature is disabled the system logs several entries of update trials.

    The B2C (business-to-consumer) parcel industry is set to be the next big thing in Europe, says market research company Datamonitor, according to M2 Presswire in this report. European users, especially those who routinely have purchases delivered to them, should be extra careful when receiving communications from their parcel delivery company of choice. At most it is recommended to challenge such messages when they have different format (in content, sender address, attachment type) as the original ones. It might be best to prefer tracking deliveries online or by phone.

    Trend Micro users are protected from this attack via the Smart Protection Network.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice