New trojan variant in USPS Mail Service emails regarding your parcel delivery


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email regarding the delivery issues of a parcel forwarded by USPS with the subjects like:

Delivery information contains at the postal label
Delivery status is required urgent confirmation
Please download your USPS Label
Postal label contains detailed information
Print USPS Postal Label  #ID56279
USPS Postal Notification
USPS Service# Get your parcel ID68906
USPS Tracking Number  #ID60805
Your USPS Postal Label is available #Order ID 2110

The email is send from the spoofed address “USPS Mail Service <mail.service@birmingham.com>” and has the following body:

Postal notification,

We couldn’t deliver your parcel.

Reason Fee isn’t paid.
LOCATION:Worcester
STATUS OF YOUR PARCEL: not delivered
SERVICE: Express Shipping
ITEM NUMBER:U642955251 NU
INSURANCE: No

Postal label is enclosed to the letter.
Print your label and show it in the nearest post office of USPS

Information in brief:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $16.41 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you.
USPS Customer Services.

The attached ZIP file has the name Label_Details_USPS_Tracking_ID36920.zip and contains the 61 kB large file USPS_Print_Label.exe.

The trojan is known as Suspicious file (Panda).

At the time of writing, only 1 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 6a843aad3e39c1868b4e9f37d829b756d903fc004dc0600351f59fc3cca6606a.

One thought on “New trojan variant in USPS Mail Service emails regarding your parcel delivery

  1. Thanks for this post!!
    I received this in my verizon email today, fortunately it went to my Spam folder so I was suspicious.
    So glad I did not open this zip file. However, I am not on a Windows machine so perhaps the damage would have been mitigated anyway.

    Yes, it contains a fake USPS tracking number.
    I opened the email source/header to see what was what and saw other unknown email addresses, as well as links to current news articles. These links were in white print on the email so they aren’t immediately noticed as they are in the text file of source.
    Then I noticed bad grammer and poor usage of English.
    Then I noticed a warning that the parcel will cost more each day that I delay picking it up.

    The following is the source information off my email’s header information text file:

    Return-path:
    Received: from fortworth.com ([unknown] [71.43.173.162])
    by vms169133.mailsrvcs.net
    (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
    with SMTP id for
    REMOVED MY ADDRESS@verizon.net; Thu, 12 Jul 2012 11:34:15 -0500 (CDT)
    Date: Thu, 12 Jul 2012 12:34:04 -0400
    From: “USPS Mail Service”
    Subject: USPS Tracking Number #ID15803
    X-Originating-IP: [71.43.173.162]
    To:
    Bcc: , , ,

    Message-id:
    MIME-version: 1.0
    X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    Content-type: multipart/mixed; boundary=”Boundary_(ID_p3qyY4mXLhdl85uz0J9b4Q)”
    X-Priority: 3
    X-MSMail-priority: Normal
    X-Vipre-Scanned: 002BA15F002FBE002BA2AC-TDI
    Original-recipient: rfc822;REMOVED MY ADDRESS@verizon.net

    This is a multi-part message in MIME format.

    –Boundary_(ID_p3qyY4mXLhdl85uz0J9b4Q)
    Content-type: multipart/alternative;
    boundary=”Boundary_(ID_KVPciVU0fTcsFB7espwoEA)”

    –Boundary_(ID_KVPciVU0fTcsFB7espwoEA)
    Content-type: text/plain; charset=iso-8859-1
    Content-transfer-encoding: quoted-printable

    Delivery information,

    Our company�s courier couldn�t make the delivery of parcel.

    Status: Postal code isn�t specified.
    LOCATION OF YOUR PARCEL:Mobile
    STATUS OF YOUR PARCEL: sorting
    SERVICE: Expedited Shipping
    NUMBER OF YOUR ITEM:U157264040 NU
    FEATURES: Yes

    Postal label is enclosed to the letter.
    Print a label and show it at your post office.

    Information in brief:
    If the parcel isn�t received within 30 working days our company will
    have the right to claim compensation from you for it’s keeping in the
    amount of $8.41 for each day of keeping.

    You can find the information about the procedure and conditions of
    parcels keeping in the nearest office.

    Thank you for attention.
    USPS Services.

    Two Florida teens attacked by alligators in less than a week

    VIDEO: Spanish protesters clash with police

    Eye Movements Do Not Reveal Lying

    China, U.S. seek to calm South China Sea tensions

    –Boundary_(ID_KVPciVU0fTcsFB7espwoEA)
    Content-type: text/html; charset=iso-8859-1
    Content-transfer-encoding: quoted-printable

    Delivery information,

    Our company�s courier couldn�t make the delivery of parcel.

    Status:
    Postal code isn�t specified.

    LOCATION OF YOUR PARCEL:Mobile

    STATUS OF YOUR PARCEL: sorting

    SERVICE: Expedited Shipping
    NUMBER OF YOUR ITEM:U157264040 NU
    FEATURES: Yes

    Postal label is enclosed to the letter.
    Print a label and show it at your post office.

    Information in brief:
    If the parcel isn�t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.41 for each day of keeping.

    You can find the information about the procedure and conditions of parcels keeping in the nearest office.

    Thank you for attention.
    USPS Services.

    Two Florida teens attacked by alligators in less than a week
    VIDEO: Spanish protesters clash with police
    Eye Movements Do Not Reveal Lying
    China, U.S. seek to calm South China Sea tensions

    –Boundary_(ID_KVPciVU0fTcsFB7espwoEA)–

    –Boundary_(ID_p3qyY4mXLhdl85uz0J9b4Q)
    Content-type: application/x-zip-compressed;
    name=Label_Details_USPS_Tracking_ID06476.zip
    Content-transfer-encoding: base64
    Content-disposition: attachment;
    filename=Label_Details_USPS_Tracking_ID06476.zip

    UEsDBBQAAAAIAGZC7EAZcjnrV3UAAADwAAAUAAAAVVNQU19QcmludF9MYWJlbC5leGXtvQlgTGf7 then a buncha lengthy hexadecimal or some kind of gobbledygook.

Comments are closed.