MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Royal Mail Shipping Advisory, Wed, 19 Sep 2012 18:37:05 +0100”.
The email is send from the spoofed address “Royal Mail <firstname.lastname@example.org>” and has the following body:
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Wed, 19 Sep 2012 18:37:05 +0100, REF# 8190685774
SHIPMENT CONTENTS: Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Royal Mail Group Ltd 2012. All rights reserved
The attached ZIP file has the name Royal_Mail_Shipping_RefPV56193.zip and contains the 51 kB large file Royal_Mail_Shipping.pdf.exe.
The trojan is known as 3LyzldN7F8xRAdmHTRlQ
At the time of writing, 2 of the 16 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: a3ffb1c46b19648431726fbf9c2a4054f4c1bfff8b42e9eae474705ba122627c.