Fake email from Royal Mail regarding detained package contains trojan
December 2, 2013 64 Comments
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Mail – Lost / Missing package”.
This email is send from the spoofed address “Royal Mail Group” and is mainly, according to our logs, directed to co.uk domain owners. The email has the following body:
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.
Screenshot of the email:
The attached ZIP file has the name Royal-Mail_B0AE39A385.zip and contains the 107 kB large file RoyalMail_Report-ID-37846378962513415238471238476218736487123684.pdf.
The trojan is known as Trojan.DownLoader9.22851, Heuristic.BehavesLike.Win32.Suspicious-BAY.K or Mal/Generic-S.
This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 7748, 0.0.0.0 on port 6023 and 0.0.0.0 on port 0.
At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total.
UPDATE 04/12/2013 15:34 (Belgian local time):
Please note that there is an new blog article regarding this threat.