MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS Delivery Notification Tracking Number : XCBMXDI508XCBMXDI866” (number and letter combination may vary).
This email is send from the spoofed address “UPS Quantum View <email@example.com>” and has the following body:
Package delivery confirmation invoice XCBMXDI508XCBMXDI866
United Parcel Service
*** This is an automatically generated email, please do not reply ***
© 2013 United Parcel Service. UPS
The attached ZIP file has the name invoiceU6GCMXGLL2O0N7QYDZ.doc and is 277 kB large file.
Furthermore, the tracking number in the email has an embedded URL that leads to a host where the malicious .doc can be downloaded from: hxxp://customer.appmys-ups.com/IaPk7PC5bZ/customer.php?h=cHVyY2hhc2luZ0BnaWxiby5iZQ0K
The trojan is known as EXP/CVE-2012-0158.AQ.1, Exploit.CVE-2012-0158.Gen, Exploit.CVE-2012-0158.Gen (B), Exploit.Win32.CVE-2012-0158.aq, Troj/DocDrop-AT, Trojan.Mdropper or TROJ_GEN.F47V1105.
At the time of writing, 13 of the 47 AV engines did detect the trojan at Virus Total.