October 27, 2009 4 Comments
MX Lab is intercepting a large amount of emails regarding a DHL tracking error with an attached Bredolab trojan. The emails are from Manager Lucinda Poe <email@example.com>, where the name of the person is choosen randomly, and the subject is “DHL Services. You should get the parcel NR.23962”, where the nr is also randomly choosen.
The body of the email:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
DHL Express Services.
The attachment is named DHL_print_label_2cd1e.zip that contains DHL_print_label_2cd1e.exe. The combination letters and numbers is random.
The trojan listens to the name Trojan.Downloader.Bredolab.AZ (BitDefender), is detected by 20 of the 41 AV engines at Virus Total. Virus Total permlink and MD5: 76cb6667fef3d40e34f08e6af123930e.