Fake email from USPS with subject “Missed package delivery!” contains URL to malicious trojan


MX Lab, http://www.mxlab.eu, started to intercept fake emails from USPS with subject “Missed package delivery!” that contains an embedded URL that leads to a malicious ZIP archive.

The email is send from the spoofed address “US Postal Service <tracking@usps.com>” and has the following body:

Dear client ,

We attempted to deliver your item at 07:30 am on Mar 25th, 2013.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the link below or pick up the item at the U.S. Post Office indicated on the receipt.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: 9102901020033059728124
Expected Delivery Date: Mar 25th, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

To download the shipping receipt, in PDF format, visit:
http://www.usps.com/go/tools/apps/track/findInvoiceByTracking.aspx?id=9102901020033059728124

To check on the delivery status of your mailing or arrange redelivery please visit the following URL:
https://tools.usps.com/go/pages/trackconfirm/quick-track.html

Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

The first URL leads in this case to hxxp://bloomerstudio.com/webupdatefiles2006/pdf_usps_9102901020033059728124.zip. The attached ZIP file has the name pdf_usps_9102901020033059728124.zip and contains the 218 kB large file pdf_usps_9102901020033059728124.scr.

The trojan is known as UDS:DangerousObject.Multi.Generic, Heuristic.BehavesLike.Win32.ModifiedUPX.C or Suspicious.Cloud.5.

The trojan will create the following files:

%AppData%\Eqba\zuevu.exe
%AppData%\Roic\naev.oqi
%AppData%\Roic\naev.tmp
%AppData%\Teox\lidez.ywy
%Temp%\tmp06b23466.bat

The following directories are created:

%AppData%\Eqba
%AppData%\Roic
%AppData%\Roic

A new process is created:

zuevu.exe

Several modifications are done in the Windows Registry and the trojan will make connection with the host 249a2efd08167c5c.com on port 80.

At the time of writing, 3 of the 45 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 0be178a5033a5b2c6351736cabe78000765de8fcc094eacc17e77538aa2509ce.