Email with notification that parcel can not be delivered by FedEx contains new trojan variant


MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email, very similar to the previous campaign, with the subjects like:

An error at the delivery
Delivery status has changed
FedEx Delivery Problem No 5549
FedEx Delivery Problem No#5454
Get your parcel
Parcel is located already at the post office
Parcel is expecting of receiving
Print the postal label
You need to get parcel number 8506

The email is send from the spoofed address “FedEx Postal Service <us_service@fedex.com>” and has the following body:

Postal notification,

We couldn’t deliver your parcel.
Reason:The weight of parcel is exceed the available parameters for free delivery.

LOCATION OF YOUR ITEM:Buffalo
PARCEL STATUS: sort order
SERVICE: Express Shipping
NUMBER OF YOUR PARCEL:U929308477NU
INSURANCE: No

Label is enclosed to the letter.
You should print the label and show it in the nearest post office to get a parcel.

Attention!
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $21.23 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for your attention.
FedEx Express Services.

The attached ZIP file has the name FedEx_Label_ID_Order_83-27-4534US.zip and contains the 40 kB large file FedEx_Label_ID_Order_83-27-4534US.exe.

The trojan is known as Trojan-Downloader.Win32.Kuluoz!IK, Artemis!6F6B1D36D0C4, Trojan-Dropper.Win32.Dapato.bfme, TROJ_BREDO.CCV.

At the time of writing, only 12 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 39c55553d4af08461feb17807d1e0e406204fa44deb442ae5f83802234268d7f.

15 thoughts on “Email with notification that parcel can not be delivered by FedEx contains new trojan variant

  1. I to had the same message sent to me good advice is to call fedexbif you are unsure the small cost of a phone call far out whey’s the cost of lost data and the cost of a new laptop/pc

  2. I received a similar email saying the package couldn’t be delivered and yet I was home all that day. I thought it was “phishy” that there was no contact information provided and no information on who the package was from. Just a zip file, which was supposed to be the postal receipt I was to show at the post office. The email address it was sent from was “mbz.991@winston-salem.com” Message read as follows.

    Order: SGH-6176-1022809891
    Order Date: Monday, 2 December 2012, 12:32 AM

    Dear Customer,

    Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

    To receive a parcel, please, go to the nearest our office and show this postal receipt.

    • I’m from Spain and I recieved the SAME e-mail:

      Order: SGH-3370-2907416374
      Order Date: Monday, 2 December 2012, 12:32 AM
      Dear Customer,

      Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

      To receive a parcel, please, go to the nearest our office and show this postal receipt.

      But the e-mail address is diff: user-yo@minneapolis.com

  3. I had the exact same email sent to me too. I was concerned at first since it’s the holidays and I can’t remember what packages I’m still waiting on. Looks very shady though.

  4. I’m in England and I’ve got this email too. It’s arrived on my work email address and managed to bypass all the security measures that are in place, which is worrying. It came from ‘anchorage’

  5. Here’s the one I received. I have a separate email account that I use for online shopping, so I knew it was fishy when it arrived. Plus I was home all day on the date mentioned, and the grammar is awful. “at the post office at December 20” and “go to the nearest our office”? Nope.

    *******

    FedEx

    Order: VGH-7840-9997774307
    Order Date: Friday, 14 December 2012, 01:21 PM

    Dear Customer,

    Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

    To receive a parcel, please, go to the nearest our office and show this receipt.

    DOWNLOAD POSTAL RECEIPT

    Best Regards, The FedEx Team.

    • I was e-mailed the exact notice. I get one about every three to four weeks. I did try to print the receipt once but nothing ever happened. I was suspicious since I think if FedEx can’t deliver something they leave a note on your door. I also noticed that on the top of the page there is a space between Fed & Ex. I just got another e-mail so I contacted customer support to see if they thought it was a scam. Now that I see other people are getting these suspicious e-mails I will certainly keep deleting them and not worry anymore. Thank you everyone!

  6. i had an email from fedEx and i think this is spam:We have been waiting for you to contact us for your long existing Package that was registered with us for shipping to your residential location. We had thought that the UK National lottery promotion gave you our contact details to contact us, it may interest you to note that a letter was also added to your fedex package, however we cannot read the full content to you via email for privacy reasons we understand that the package itself is a winning bank Cashier cheque which worth over $1,500.000.00 USD {ONE MILLION FIVE HUNDRED THOUSAND UNITED STATE DOLLAR} As you know FedEx do not ship money in CASH but Bank Drafts/winning cheques are shippable. The package is registered with us for mailing by the UK lottery promotion, We are sending you this email because your package is been registered on a Special delivery Order What you have to do now, is to contact our Delivery Department for immediate dispatch of your package to your residential address.

    Note that as soon as our Delivery Team confirm your information’s it will only take two working days (48hours) for your package to arrive your designated address. For your information, the VAT & Shipping charges as well as Insurance fees have been paid by the UK lottery promotion before your package was registered. Note that the payment that is made on the Insurance, Premium & Clearance Certificates, is to certify that the winning cheque is not for Drug Affiliated Fund (DAF) neither is it a fund to sponsor Terrorism in your country. This will help you avoid any form of query from the Monetary Authority of your country. Note, you will have to pay a total Security sum of $221 USD to the FedEx Security Company India being full payment for the Security Keeping Fee of your package as stated in our privacy terms & condition page. Also be informed that the UK National lottery promotion Company wishes you to pay for the Security Keeping charges, but we do not accept such payment just like that considering the fact that all items & packages that is registered with us have a time limitation and we cannot accept payment that is not known to us, so you are to send us your full detail so we can effect you with our own payment procedures for the security keeping fee of your parcel containing $1,500,000.00 USD. Kindly note that the lottery promotion did not leave us with any further information we hope that you respond to us as soon as possible because if you fail to respond until the expiry date of this package, we may refer the package to the British Commission for Welfare as the package do not have a return address.
    Kindly contact the delivery department (FedEx Delivery Post) with the details given below:

    FedEx Delivery Post Contact Person: Mr. Bright Collins
    Tel: +918050830305, +44-871-974-1523 
    Email:  HYPERLINK “http://sn135w.snt135.mail.live.com/mail/” fexpress121@hotmail.com
    Kindly complete the below form and send it to the email address given above.
    This is mandatory to reconfirm your Postal address and telephone numbers.

    FULL NAMES:
    CONTACT ADDRESS:
    TELEPHONE NUMBER
    CITY:
    STATE:
    COUNTRY:
    OCCUPATION:
    SEX (M/F):
    AGE:
    STATE OF ORIGIN:

    Kindly complete the above form and submit it to the delivery manager on:  HYPERLINK “http://sn135w.snt135.mail.live.com/mail/” fexpress121@hotmail.com

    As soon as your details are received, our delivery team will give you the necessary payment procedure so that you can effect the payment for the Security Keeping Fees. As soon as they confirm your payment of $221 USD, they will not hesitate to dispatch your package as well as the attached letter to your residential address. It usually takes 48 hours being an over nights delivery service. Get back immediately with your information’s so we can proceed with this mission.

    Regards
    Mr. George Adamson
    FedEx Online Team Management

  7. I received the same email as Leo. I can practically hear them speaking with that barely understandable accent. Anytime Anyone Asks for money to send you money, it’s a scam! I call it my AAA rule of thumb. The only reason they continue in this business is because it is extremely profitable. I could tell you about all the different scams that have come across my desk but I won’t bore you with the details. I will simply say that it would have put me in the poorhouse had I responded to just one of those myriad offers.

  8. I live in the Netherlands and recently discovered 3 messages in the spam box of my gmail account dated January 17 and 24, 2013. They had the Fed Ex logo (with a space between Fed and Ex).The 3 msges had different Tracking ID’s and Order numbers and were sent from three different e-mail addresses ending …@miami.com.
    here’s the message:
    “Dear Customer,
    your parcel has arrived at the post office at January … . Our courier was unable to deliver the parcel to you.
    To receive your parcel, please, go to the nearest office and show this receipt.
    GET & PRINT RECEIPT
    Best regards, The FedEx team”

    p.s. fortunately I got an error when I pressed the GET & PRINT button (probably because the e-mail messages were sent a month ago and I just discovered it now)

  9. Gentlemen:

    i received an e-mail that is similar to some of the above here is it…

    FedEx Delivery Services Global Shipping Logistic Management and Supply Chain Management

    FedEx Express Delivery Service , Asia India
    MANNADY(DIST) KANAKATA,BANGALORE, INDIA
    Shipment Code: CPEL/OWN/9876
    Parcel No: EG2272-IN

    ATTN:edgar Querubin ,

    Greetings to you from the entire staff of FEDEX DELIVERY COMPANY.Thanks to your e-mail. With all due respect, I am Mr. Bright Collins, the FedEx Delivery Post contact person as well as the Senior Delivery Officer; the reason why you are to pay this fee is for the Security keeping fee of your parcel which is $82 USD before dispatch can commences with your parcel to your residential address. The Security keeping fee is due to the fact that we don’t know when you will be contacting us via email that we have your parcel, so you will not have to pay more than that $82 USD on demurrage. Your delivery Package containing $1,500.000.00 USD {ONE MILLION FIVE HUNDRED THOUSAND UNITED STATE DOLLAR} is set and all necessary arrangement have been made for the delivery of your parcel dispatch, all we advise you to do now is to effect the payment immediately for the security safe keeping fee so we can deliver your parcel to you at your home residence. We would like you to resend or reconfirm your home address as soon as you make the payment.

    With the above facts, i advise that you make the payment for the security keeping fee of your parcel, so that your parcel can be delivered to you on time. Mainwhile, i want you to note that your parcel has officially cleared for delivery by the FEDEX SEVICES ORGANISATION (FSO) because we have confirmed your real address for the delivery of your parcel contained a Bank Draft/Cheque worth the sum of $1,500.000.00 USD {ONE MILLION FIVE HUNDRED THOUSAND UNITED STATE DOLLAR} and other documents which cannot be seen by any of our agent until the parcel is successfully delivered to you. Delivery will be made to your doorstep according to our delivery requirement under 24hours (one working day delivery services).

    BELOW IS THE PAYMENT INFORMATION FOR THE SECURITY KEEPING FEE OF YOUR PARCEL

    You are to send the $82 USD through WESTERN UNION MONEY TRANSFER OR any Money Gram as to speed up the process of your delivery.You are to locate the nearest Western Union Office close to you and make the payment to this account officer name Dennis George address given below.

    ACCOUNT OFFICER INFORMATION ARE STATED BELOW:
    Receivers Names: Dennis George
    Receiver’s Address: MG Quaters Kanakata Bangalore India.
    Text Question to be use:color
    Text Answer:Pink
    Amount to sent:$82 USD

    You are to send back to us this information below via email after payment is made via western union.

    Sender Name:

    Sender’s Address:

    Receiver Name:

    M.T.C.N (Money Transfer Control Number):

    Amount Sent:

    Note; Kindly scanned and attached the western union reciept copy to us through email for confirmation.As soon as we confirm the security keeping fee payment details from you, Our international delivery officer (Diplomat Mr. Jonny Lingo) will depart INDIA with your CONSIGNMENT BOX to your country immediately for delivery. He will give you a call upon arriving your country.

    NOTE: Attach two photo copies of your pictures via email along sending the payment transaction details to us through email . We guarantee you that as soon as you make the payment your parcel is going to be deliver to you within 24hours.
    Kindly proceed with the payment as we look forward to receive your payment ASAP.

    Regards
    Mr. Bright Collins
    Tel: +919582835413
    Email:deliverycompanyfedex@yahoo.cn

  10. Parcel not recived from fedex delhi office (Parcel No. ED/A12X/028) So kindly provid me details of shipment
    also Tracking Number.

Comments are closed.