MX Lab, http://www.mxlab.eu, intercepts image based emails regarding failed package deliveries by UPS due to a faulty recipient address. The emails have different subjects like:
Error in the delivery address ID#7277
Failure to deliver ID #92198
Print your postal label
UPS delivery refuse ID #4714
You should come to the post office
Your delivery status has changed
The email is send from the spoofed address “UPS Services <firstname.lastname@example.org>” and has the following body:
Behind the image is a URL in the format: hxxp://buzzstar.co.uk/JUVNEFNQVI.htm. This will download the file named Label_Copy_UPS.zip and contains the 78 kB large file Label_Copy_UPS.exe.
The trojan is known as Spyware/Win32.Zbot, Trojan-Downloader.Win32.Kuluoz.z, Mal/NecursDrp-A, WS.Reputation.1, TROJ_GEN.F47V0815.
At the time of writing, 9 of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 04d1972dc3148b280ca65312e49faa7082924dadba66b61f2c3fce44703eaefb.