MX Lab, http://www.mxlab.eu, is intercepting image based emails regarding a FedEx parcel delivery issue with an URL that downloads the file Postal-Receipt.zip.
The email is send from the spoofed address “Express Mail”, “First Class Mail Service” or similar. The subject is in the format:
Tracking Number (T)QGC78 019 239 7310 8313
The message has the following body:
the embedded URL behind the image will lead you to hosts like hxxp://www.powerkiteshop.com/QRLSLTDMKI.php?php=receipt, hxxtp://anistarr.com/job.php?php=receipt or similar.
The downloaded file is Postal-Receipt.zip and once extracted contains the file Postal-Receipt.exe.
The trojan is known as BackDoor.Generic_r.ARH, Gen:Variant.Symmi.7362, Trojan-Downloader.Win32.Kuluoz.abp, Ransom-AAY.gen.q and others.
At the time of writing, 13 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 48e5385705400fda8198cf426abaffa7a627f596720e0ab420ff4e4cfe93a5f4.