Fake email with notification to pick up undelivered parcel by UPS contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS – Your package is available for pickup ( Parcel 651554870161 )” – note that the parcel number may vary.

The email is send from the spoofed address “UPS Quantum View <auto-notify@ups.com>” (on the SMTP level the from email address is welcome@aexp.com),  the reply to is “auto-notify@ups.com” (this is something new for us) and has the following body:

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 651554870161

You may pickup the parcel at our post office.

Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
UPS Logistics Services.

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

The attached ZIP file has the name Label_651554870161.zip and contains the 50 kB large file Label_08272013.exe – note that the parcel number may vary.

At the time of writing, 0 of the 46 AV engines did detect the trojan at Virus Total. So be carefull upon receiving similar messages because the anti virus scanners do not have an update yet for this kind of trojan.

Virus Total permalink and SHA256: 799b35d21931cc6a6c71cdc9db10a33a355d818ba738308c6dbcc14913a315ab.

2 thoughts on “Fake email with notification to pick up undelivered parcel by UPS contains trojan

  1. I have been getting these emails in my hotmail account for a while. I just ignore them. I’ve been working for a company for a little over 18 months. This is the first job I don’t have to deal with networks, desktops, or purchasing, so I’ve not put my work email out there for anything. Got five of these yesterday. My guess is someone in our mailroom or purchasing opened the email, clicked on the exe file, and the trojan got our global address listing and started nailing us.

    As mentioned, our email anti-virus did not catch it. It may have caught the executable, but I’m not willing to open it and test the hypothesis. There are major flags on these email that user’s need to be made aware of to reduce damage.

  2. got similar from UPS from UPS Delivery service
    attached file PARCEL-XUQ1MGXG56.zip looked at it in hex its spyware. this is new its 109kb exe i have a copy should you like to look at it..

Comments are closed.