Newer version of fake email from Royal Mail regarding detained package


MX Lab, http://www.mxlab.eu, reported a yesterday regarding a trojan distribution campaign in the post “Fake email from Royal Mail regarding detained package contains trojan“. Today’s campaign is slightly different and carrying a new variant of the trojan.

This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now noreply@royalmail.com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:

Mail – Lost / Missing package – UK Customs and Border Protection

Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.

Please fulfil the documents attached.

The actual layout of the email remains the same:

The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf.exe.

The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX.

This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).

At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: 36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66.

UPDATE 04/12/2013 15:34 (Belgian local time):

The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available.

At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: 1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db.

UPDATE 05/12/2013 00:10 (Belgian local time):

This campaign is still going strong as MX lab keeps on intercepting this type of emails. New variants are emerging as well (too much to list them but below a few new examples) and the subject of the message is now “Attention: Lost/Missing package”.

Use the Virus Total permalink or Malwr permalink for more detailed information.
SHA256: be6cfafa03b8caef7ab80f8a629b6ac258d8c1eb255449aac6ef14bd1fe6bbea.

Use the Virus Total permalink (detection 9 of the 48 engines) or Malwr permalink for more detailed information.
SHA256: be6cfafa03b8caef7ab80f8a629b6ac258d8c1eb255449aac6ef14bd1fe6bbea.

32 Responses to Newer version of fake email from Royal Mail regarding detained package

  1. Nat says:

    Thanks – Just received this e-mail now and thought it was dodgy.

  2. Pingback: Fake email from Royal Mail regarding detained package contains trojan | mxlab - all about anti virus and anti spam

  3. Mark T says:

    Funny how recently I have bought goods from China and now suddenly I get these emails, fortunately the first one had a dead obvious email address but the second one allegedly came from noreply@royalmail.com , so looked more official but I assume that this one too is fake as it has an attached zip and email is same format.
    Have always had scam emails but more recently they have been linked with either DHL or Royal Mail both of whom have been used by me and /or companies? that I have done business with in China.
    I could be totally wrong but…….

    • maisielucas says:

      Yes – same here. I bought some clothes off eBay from China a few weeks back, and also used Royal Mail last week to post Christmas presents to family in New Zealand. I don’t think I gave them my email though – but the China stuff through eBay I would have done. Weird….

  4. Maisie Lucas says:

    Thank you so much for posting this! I just received this email and was so close to opening the attachment because it looked so authentic and because I DID just send a big parcel via Royal Mail a few days ago to another country! It’s only when I googled it, thinking, hang on, I never wrote my email address on the parcel, when I found this! Thanks so much!!!

  5. Ambica Patel says:

    I googled it just after downloading the PDF :'( I now have my anti virus working on it! I am so scared of these things :'(

  6. Ambica Patel says:

    Can you help me? I have a question… basically my anti-virus software did not find anything, does that mean it has the trojan and it does not detect it or it doesnt have it? I downloaded the PDF but my computer did not let me open it because the program was not supported… Please comment!!!

    • mxlab says:

      Depends. The email has an ZIP archive attached. Unpacking this will not mean your computer is infected straight away but you’re getting close to. You have released the trojan if you have double clicked the unpacked executable which is masked as a PDF but is an .exe.

  7. Craig Smith says:

    I got it, I am expecting a few items from Royal Mail, I have opened the Email and I also tried to open the attachment and my Norton Anti-Virus detected it after I saved it to my computer, it detected it and I couldn’t be more relieved, Norton is worth every penny.

  8. The Cloudmark spam-trap in my Plusnet email accounts are picking up three or so of these a day.
    I’m a Linux only user and I think the spam is aimed at the Windows Registry. Not that it makes me any-more complacent. But I have not received spam for years and I try hard to avoid giving any private data away. Obviously failed here.

  9. Jonathan says:

    Hi, my mum just called me to ask if I had any parcels coming from Royal Mail as she just had an email from them. Guess what, she clicked the zip file and downloaded it however, she then said nothing happened. Does this mean she is infected? Is there are best scan to use to check?

    Hope someone can help

    • mxlab says:

      Perhaps she’s lucky. You mention that she has downloaded the ZIP file and then nothing happened. I don’t want to be disrespectful, but perhaps she doesn’t know then what to do next which is unpacking the ZIP file. If the ZIP file remains untouched, she should be safe. But, a scan of your computer can never hurt. ;-)

      • Jonathan says:

        She ‘thinks’ she only clicked to download it then nothing happened. She is pretty sure she did nothing else :) she is running a scan with Microsoft security essentials as we speak but I fear this is to basic of a programme. Is there anything you recommend for scanning and checking. As you can tell she isn’t internet/computer savvy and I’m not with her to check until tomorrow. Just trying to put her mind at rest a little.

        Than for getting back so quick

      • mxlab says:

        Perhaps it’s nothing but make sure that the email and the ZIP archive is in the trash and removed. Let the scan do his work (scan the system and keep the mom restful). ;-)

        The are some links to great tools on the right side under Security tools. Malwarebytes and Spybot S&D are recommended. They’ll also fix other issues that you are unaware of sometimes.

  10. Hi guys…

    I got the exact email and my suspicion is what lead me here.

    I have recently made an order on Groupon and that is all I am expecting so that’s why I looked this up.

    @ MarkT: I think the reason why more recently scams come from alleged delivery agencies is simply due to hackers taking advantage of the time of year, and banking on the idea that you “probably” have made an order for delivery.

    @Ambica Patel: I’m terrified of these things too… I’m kinda an automatic scam filter… ANYTHING UNEXPECTED which asks me to download and fill in a form is immediately a red alert for me.

    Also, being London born and raised i just found it an unusual action for Royal Mail
    Considering i had not subsribed to any special service.

    I am typing from my smartphone. … I wander what would have happened if I had downloaded to my smartphone??? Anyone know the answer to that?

    Merry Xmas peeps.

  11. momo says:

    Any way I can stop this email coming through to me? I receive it 2 or 3 times a day, haven’t opened it once, but am fed up with it and worry that in a moment’s lapse of concentration I’ll do so!

  12. Supremetwo says:

    There are so many – are these from a botnet or just a few computers that are allowed to send to millions?

  13. Ambica Patel says:

    Hey guys, I thought I would update you on my situation. haha :P So last night I did 2 whole computer scans by AVG and by microsoft safe scanner. Then i decided to read the list of programs that have detected the trojan and then I downloaded Malwarebytes and let it scan the computer wholly. It said there was nothing detected and it was all fine. Am I safe to continue as if nothing is on my compute?

  14. Elina says:

    Hi, I received the same e-mail yesterday. The name of the file attached to my version is “RoyalMail_Report_ID8ACFB55344″.

    I haven’t had any business with Royal Mail recently and thought the message looked a bit suspicious, so I googled “Royal Mail ID8ACFB55344″, but there were no hits. Nevertheless, I still thought it was a bit weird for an institution like Royal Mail to omit a full stop after closing bracket (in “…or if the package requires a formal entry) the RM International Mail Branch holding it…”) and, above all, use a sentence like “Please fulfil the documents attached.” So I googled that with quotes and bingo, found this thread.

    Sometimes it pays off to be an English translator.

  15. GeoffK007 says:

    Whew, first thing I did was copy the title and google, straight away up comes the scam, thank goodness. It pays to be suspicious/cynical, Geoffk007

  16. john mackbanks says:

    I’ve had 80 of these in various flavours over the last week. And prior to that about 20 with a different source but the same payloads.

    They just pour in.

  17. James says:

    Yep, received the email this morning. Almost fell for it…bought goods online from Superdry less than a week ago and mailed one of those items 2 days ago via Royal Mail. Only when I reflected on the personal details given at the time of posting did it click that there was no way my email address could be linked to the package…so Googled and found this.

  18. Gwen Cammack says:

    i received it yesterday and then paid £15 to have it removed by my ‘Computer Man’.
    Was it a give-away that RoyalMail was so spelled?
    Gwen

  19. Duncan Brown says:

    I just received one of these, but the from address was a “@rdmgroup.com” address. The attachment was still a .pdf.exe inside a zip file but I’m a bit concerned that neither Malwarebytes nor Security Essentials flagged it up when I scanned the file. Deleted it anyway, just to be safe.

  20. Dee says:

    As I am waiting for a package from abroad, I was tempted(even though it was flagged by ‘smartscreen filters’ as suspicious- Hotmail/IE8) and clicked the download .zip link.
    My Avast AV did not flag it, but the webpage gave me a box message to say ‘the .zip was infected with an unknown virus and isn’t safe to download’. Any chance it could have got in?

    Thanks.

  21. Izzzzzzy says:

    I was an idiot and opened the file on the email.. I ran a scan with AVG and it said it found and removed the virus. But I’m still really worried about it. Am I definitely safe now?

  22. KMSX says:

    To anyone who did open the attachment (like I stupidly did) it took a few days for my laptop to slow down and for things to stop working. I have run a norton 360 scan today which has detected the spyware and virus and removed them. Just in case anyone was in a similar position and thought that because nothing happened immediately that nothing will happen..

    • Ambica Patel says:

      How many is a few days…? I opened it 6 days ago and have had no signs. In the first few days I did about 10 scans in total to be sure and nothing odd came up…

  23. Colin M says:

    I’ve had one too. Ordering off Ebay from a company in China. Email arrived on the first expected delivery date of the package. Timing is very suspicious. I think the source must be the ebay trader.

    Reported it to ebay and forwarded the email to them. They replied by saying it was a phishing attack even though it had an exe file attached. Trader has been allowed to continue doing business even though lots of negative feedback is being received.

    First (and probably last) time I’ve bought anything directly from China.

    To MX Labs: Thanks for this facility, it’s very helpful.

Follow

Get every new post delivered to your Inbox.

Join 317 other followers

%d bloggers like this: