DHL delivery error with malicious ZIP attached


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:

ADDRESS NOT FOUND N# : trk-id: 468009980.87926300 1317639396
EXPRESS parsel report N# trk-id: 873383920.06837600 1317634295
REPORT REF N# trk-id: 673062160.28087200 1317632952
Parcel N## : trk-id: 339705150.38276500

Note that the numbers in the subject can change randomly.

The email is send from the spoofed address “DHL Global Mail GROUPS” with real SMTP From addresses like:

apache@www2.onesolution.com.hk
message.Ticket.I.749@dhl.com
support.center.9041@dhl.com
… 

and has the following body:

Dear Sir/Madam,

Your package has been returned to the DHL office. The reason of the return is – Error in the delivery address

Please refer to attached file for additional details
Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the office in order to receive the packages.

Thank you for attention.

Your DHL

The attached ZIP file has the name report-undeliver-778643455.zip and contains the 177 kB large file report-undeliver-778643455. Again, numbers in the filename can vary.

The trojan is known as Trojan.Generic.KD.370448 (BitDefender), Trojan-Spy.Win32.Zbot.chef (Kaspersky), Troj/Zbot-BAW (Sophos), PWS:Win32/Zbot.gen!Y (Microsoft).

At the time of writing, only 23 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5:7d0c0b1a6c9fc433e62448e4255927fd.

2 Responses to DHL delivery error with malicious ZIP attached

  1. Alexandra Vasilescu says:

    IT ‘ S A GREAT ARTICLE !
    MORE INTERESTING !

  2. Chelsey says:

    I just received one almost identical to this for FedEx.

Follow

Get every new post delivered to your Inbox.

Join 318 other followers

%d bloggers like this: