Fake email from Royal Mail regarding detained package contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Mail – Lost / Missing package”.

This email is send from the spoofed address “Royal Mail Group” and is mainly, according to our logs, directed to co.uk domain owners. The email has the following body:

Mail – Lost / Missing package – UK Customs and Border Protection

Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.

Please fulfil the documents attached.

Screenshot of the email:

The attached ZIP file has the name Royal-Mail_B0AE39A385.zip and contains the 107 kB large file RoyalMail_Report-ID-37846378962513415238471238476218736487123684.pdf.

The trojan is known as Trojan.DownLoader9.22851, Heuristic.BehavesLike.Win32.Suspicious-BAY.K or Mal/Generic-S.

This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on on port 7748, on port 6023 and on port 0.

At the time of writing, 3 of the 48 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink and Malwr permalink for more detailed information.
SHA256: f0f02d25bfb4cbd924d46a9a4d9fd72b338bd350532005d1150028483b12e8d9

UPDATE 04/12/2013 15:34 (Belgian local time):

Please note that there is an new blog article regarding this threat.

64 thoughts on “Fake email from Royal Mail regarding detained package contains trojan

  1. Brilliant, exactly what I needed to know. I received 2 of these to different addresses and immediately noticed that they had different references and as I and little package mail it was clear that there could not be 2 lost packages – but it is a good one – don’t get caught out. Never open any attachment that comes from somebody you don’t know. The return addresses were different and bogus.

    • just had same email tried to download attachment as have recently posted packages to Australia. I reciived message from my computer that this type of attach. Could not be saved or opened so hope that has saved me.

      • Pratt for opening the attachment, some goons never learn.
        Hopefully, you have learnt your lesson

  2. Same with me was just about to open the attachment, mcafee stopped it and you appeared in my google search! Thank you!

  3. I stupidly started to download this. I have since unplugged my PC from the Internet and I’m checking bank balances via my banking app. What can I do to clean my computer? I will inform my banks and the usual things.

  4. Unsuspecting I tried to download the atachment, but my Kaspersky AV took over and disinfected my computer followed by a full scan. Thank you Kaspersky, you did your job.
    Thanks for info.

  5. Just received this email too, thankfully I already suspected it was a scam of some sort, so decided to google it before opening the attachment. So thank you very much for this post, I’m relieved to know I was right in deleting it.

  6. Pretty convincing email, fortunately Norton did its thing and removed it before I could open it like an idiot. Thank you Norton.

  7. glad you all were wise to these stupid freudsters as i nearly opened it untill i googled it, these scumbags need to find something else to do with their time and leave us all alone

  8. I too received one of these and rather stupidly decided to open it. I was unsuspecting as I’ve ordered a lot on line recently for Xmas and just thought it was referring to an item I had ordered. I tried to open it on my iPad and now cannot seem to be able to get out of the email or out of my hotmail account. Anyone have any advice??

  9. I got this today – the weird thing being that my luggage had been lost on a flight home yesterday, and I was expecting a delivery that could well have been from UK Customs and Border Protection. Realised from the writing that it was phishing, but I was a bit paranoid that they were somehow targeting me deliberately.

  10. Thank you so much. Exactly what I needed to know, although I was pretty suspicious as hadn’t ordered anything using my work email address. Have shared this with all my FB & LinkedIn crew. Good work keeping on top of these scum! 🙂

  11. I deal with Royal Mail and was expecting to hear about a genuine missing parcel when this turned up because of all the news of tv I googled the group name and found out it was fake so straight into the bin and then dumped, I never ever open always bin, if was real then I am sure people would get back in touch.

  12. Got into work this morning to find about 30 of these on the email system. Been getting them all day and so far up to about 53 of them and I’ve only been in 2 hours! Knew something was fishy so I thought I’d check out what it was trying to do… Anyone know a way to block them cos they’re coming through from different senders on different domains so i can’t just block 1 domain…

  13. i stupidly downloaded this as I’m expecting several packages that have not been delivered on time. I have not opened it however, so am I safe? Going to run a virus scan just in case.

  14. They are still sending these out as I got one today on my @mail.com account.
    Was not expecting anything and the wording seemed weired so googled it and you came up.
    Thanks for confirming suspicions.

  15. I sent an email to the Scam center of Royal Mail, they are aware of this and are working to get it shut down.

  16. Nice one! I had 3 but I have also ordered stuff online so it almost caught me out until “I JUST RECIEVED A EMAIL FROM MASTERCARD SAYING MY DEBIT CARD HAD BEEN BLOCKED’!!!! I noticed it also had an Zip attachment which is why I googled it! There’s not much info on it, but thankfully I found this! Just a heads up guys!

  17. Thank you so much for the information. Got two today and wondered how Royal Mail had my email address so Googled it. This information is now on my Facebook page with your link. I’m really grateful to you for checking these things I don’t need this before Christmas.

  18. Thanks for this page. I received the email but I noticed when I opened it that the email address was from “@bell.ca” so didn’t download the attachments. Seemed strange so that tipped me off no way an email would come from royal mail and not use an official email, nevermind the fact its a Canadian one. Other than that its quite convincing and could catch alot of people out expecting gifts from loved ones abroad etc

  19. Received today, and did attempt to open it.Thankfully Norton did prevented it from opening. It is strange how they know when goods have gone missing or you’re waiting for items to arrive?

    I’ve had problems already with ‘deltasearch’ on my daughters laptop. Complete nightmare.
    Readers: please also be aware of Victoria Secrets official UK website it is a fake website! VS are aware of this and are having problems closing the sites down, apparently there are two operating the the moment. Unfortunately I am a victim of this too!!

    • > It is strange how they know when goods have gone missing or you’re waiting for items to arrive?

      They simply don’t know if your goods are missing but send this type of email out for a very good reason. It is the end of 2013 and a lot of people have ordered something online in a web shop so they are counting on the chance that someone will read the email and believes he/she has lost the package and eventually will open the attached email.

  20. Hi, I received that email this morning and actually opened it… I’m using linux though. Does it affect linux? I’ve got two systems installed, windows and linux, but I ran it on linux… Would appreciate advice. Thanks.

  21. Same email came through in junk box, which I usually just trash all contents but Royal Mail alerted my attention! Like others, have things on order so read it. However couldn’t understand how Royal Mail would have my address – didn’t ring true!! Hence investigated for scam. Thanks – will get rid of it now!!

  22. My antenna went up when was directed to download an odd-looking link. There is a fake Norton “OK” symbol included to add ‘authenticity’ to this scam. Clever…’.

  23. I have an account with royal Mail send a lot of parcels & Royal mail never e-mail you!had 2 sent today but as soon as I seen the zip file i knew?

  24. I knew this was suspcious because the Royal Mail would not have my email address written on the outside of a package they were trying to deliver; in addition, they would send a card or letter to the address asking for additional documentation, postage, etc. not send an email. Thirdly, and this was the clincher, I received this spoof email to an address that I never use with online retailer only with friends, family and genuine companies I have legal dealings with (banks, insurance companies, etc.) and think it unlikely they will have sold my email address or had it stolen.
    Simple answer – delete and mark as spam/phishing scam.

  25. Ive just had this one to.. looked pretty real…. even coming from a ‘royalmail’ email address… then i thought how the hell would they have got my email address :/ so i got rid of it

  26. Had 3 of there’s email 2day was wondering what it was about a friend looked on Google and found this out glad for the information thanks

  27. Damn! good to know…..I send loads of international packages, and accidentally sent one this week without customs docs – of course I got two of these emails and thought it related to that…… luckily I’m on a Mac and even though I was foolish enough to click to open, its windows only. Phew.

  28. Hi,
    Stupidly I opened the email on my iPhone mail account and downloaded the zip file but could not open the file.
    Will my iPhone be hacked I use my phone to order online through my bank and credit cards. I only opened as I had just ordered something from America 2 days ago!
    Please help I am really worried I will have to cancel all my cards so close to Christmas!

  29. I stupidly downloaded this a few times but was unable to open it only because I posted a parcel
    to Australia yesterday did I think it was genuine.
    I have an apple mac(10.5.8), do you think I am safe as I do not have windows.

  30. Thanks a lot for the info’ – thought about opening the attachment, as the logo etc seemed pretty convincing. Glad I decided to check first. Thanks again for your help.

  31. I stupidly opened it and downloaded the attachment already! Any advice on what to do? Thank you for the info!

  32. I was expecting a parcel today that didn’t arrive so opened the message and downloaded zip, I have a mac what can I do to remove this?

  33. Just received this email and Googled to find out if it was a scam or not before trying to open it, I am usually daft enough to open these things without thinking about it but for once I did’nt! So thanks to all the posts I have read I have saved myself a load of problems and my husband shouting at me xxx

  34. Phewww was trying to opening this attachment on my iPhone and it wouldn’t let me so was just about to get my lap top out to open it and thot I would google it first thank god it never.

Comments are closed.