Emails Royal Mail Shipping Advisory contains trojan variant


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Royal Mail Shipping Advisory, Wed, 19 Sep 2012 18:37:05 +0100”.

The email is send from the spoofed address “Royal Mail <noreply@royalmail.com>” and has the following body:

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Wed, 19 Sep 2012 18:37:05 +0100, REF# 8190685774

SHIPMENT CONTENTS: Documents

SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE

ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE

Royal Mail Group Ltd 2012. All rights reserved

The attached ZIP file has the name Royal_Mail_Shipping_RefPV56193.zip and contains the 51 kB large file Royal_Mail_Shipping.pdf.exe.

The trojan is known as 3LyzldN7F8xRAdmHTRlQ

At the time of writing, 2 of the 16 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: a3ffb1c46b19648431726fbf9c2a4054f4c1bfff8b42e9eae474705ba122627c.