Image based emails with DHL tracking information downloads malicious ZIP


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Tracking Detail (N)AS76 497 499 4176 0669
Tracking ID (G)MX69 538 274 3261 3867
ID (M)GY33 045 122 5321 1029
ID (C)RDC49 627 132 3297 6125
ID (A)CD92 681 651 1645 9658
….

The email is send from the spoofed addresses like:

Worldwide Express Mail <CE.699@irving.com>
Worldwide Express Mail Service <BQU.466@indianapolis.com>
Priority Mail Postal Service <support_ROT@hialeah.com>
….

The email contains a single image with an embedded URL that leas to a host where a ZIP file is downloaded.

The attached ZIP file has the name Postal_Receipt.zip and contains the folder named Postal_Receipt with the file  the 111 kB large file Postal_Receipt.exe and the file price.xlsx.

The trojan is known as TR/Dropper.Gen8, Trojan.ATRAPS ro Trojan-Dropper.Win32.Dapato.bwsh.

At the time of writing, only 3 of the 44 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 3c80a2f987b5db66f9a73c3a5bee25776de4176d90deeb665e36e2d4ea491e8c.

3 thoughts on “Image based emails with DHL tracking information downloads malicious ZIP

  1. I would make sure you have the best virus software on your computer. I almost downloaded it but it seemed odd because it said the post office could not deliver it to me. It didn’t make sence.

Comments are closed.