MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS – Your package is available for pickup”.
The email is send from the spoofed address “UPS Express Services <firstname.lastname@example.org>” and has the following body:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
UPS Logistics Services.
CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You
The attached ZIP file has the name Label_8827712794.zip and contains the 135 kB large file Label_8827712794.exe.
The trojan is known as Trojan/Win32.Zbot, PWS.Win32.Fareit.AMN (A), Trojan.Generic.KD.913977, Trojan-PSW.Win32.Tepfer.hlxl, Malware.Packer.SGX5, Mal/FakeAV-OY or TSPY_FAREIT.NF.
At the time of writing, 15 of the 46 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: b1b537f767ce0a0cbf00141f97d5f814ecb9f2ae058895c9c85b3375b7d0e59e.