MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:
Tracking Detail (N)AS76 497 499 4176 0669
Tracking ID (G)MX69 538 274 3261 3867
ID (M)GY33 045 122 5321 1029
ID (C)RDC49 627 132 3297 6125
ID (A)CD92 681 651 1645 9658
The email is send from the spoofed addresses like:
Worldwide Express Mail <CE.firstname.lastname@example.org>
Worldwide Express Mail Service <BQU.email@example.com>
Priority Mail Postal Service <support_ROT@hialeah.com>
The email contains a single image with an embedded URL that leas to a host where a ZIP file is downloaded.
The attached ZIP file has the name Postal_Receipt.zip and contains the folder named Postal_Receipt with the file the 111 kB large file Postal_Receipt.exe and the file price.xlsx.
The trojan is known as TR/Dropper.Gen8, Trojan.ATRAPS ro Trojan-Dropper.Win32.Dapato.bwsh.
At the time of writing, only 3 of the 44 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 3c80a2f987b5db66f9a73c3a5bee25776de4176d90deeb665e36e2d4ea491e8c.