By now, most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate notifications. But some can look convincing, which is why a good social engineering education can be beneficial in the long run.
We recently found an email sample pretending to be from the courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its malicious intent.
As seen in the email screenshot above, the malware-hosting site is linked to a supposed legitimate UPS URL where the PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however when clicked, the URL leads to a malicious ZIP file. To further convince users it is legitimate, the sender’s email address was forged to closely resemble an actual UPS email address.
The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information from several FTP clients or file managers. In addition, BKDR_VAWTRAK.A also steals credentials from mail clients including Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat. In order to avoid detection on the system, this backdoor deletes certain registry keys related to software restriction policies.
According to Trend Micro Software Architecture Director Jon Oliver, this attack was moderate in number, constituting approximately 1 in every 300-400 thousand email messages on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent royal baby spam outbreak consisted of 1 in every 200 email messages on the days of that outbreak.
This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes trainings like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering.
Trend Micro Smart Protection Network protects users from this threat by blocking the related email message, malware and access to the site.