Fake email with subject “UPS Delivery Notification Tracking Number” contains malicious .doc attachment


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS Delivery Notification Tracking Number : XCBMXDI508XCBMXDI866” (number and letter combination may vary).

This email is send from the spoofed address “UPS Quantum View <auto-notify@ups.com>” and has the following body:

Package delivery confirmation invoice XCBMXDI508XCBMXDI866

Thank you,
United Parcel Service

*** This is an automatically generated email, please do not reply ***
© 2013 United Parcel Service. UPS

The attached ZIP file has the name invoiceU6GCMXGLL2O0N7QYDZ.doc and is 277 kB large file.

Furthermore, the tracking number in the email has an embedded URL that leads to a host where the malicious .doc can be downloaded from: hxxp://customer.appmys-ups.com/IaPk7PC5bZ/customer.php?h=cHVyY2hhc2luZ0BnaWxiby5iZQ0K

The trojan is known as EXP/CVE-2012-0158.AQ.1, Exploit.CVE-2012-0158.Gen, Exploit.CVE-2012-0158.Gen (B), Exploit.Win32.CVE-2012-0158.aq, Troj/DocDrop-AT, Trojan.Mdropper or TROJ_GEN.F47V1105.

At the time of writing, 13 of the 47 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: ccf7fed174dc9864c810d1c53b1ba7dfedede41cc9fd2ec82d85ec865ca67db8.
Malwr permalink and SHA256: ccf7fed174dc9864c810d1c53b1ba7dfedede41cc9fd2ec82d85ec865ca67db8.