Newer version of fake email from Royal Mail regarding detained package
December 4, 2013 32 Comments
MX Lab, http://www.mxlab.eu, reported a yesterday regarding a trojan distribution campaign in the post “Fake email from Royal Mail regarding detained package contains trojan“. Today’s campaign is slightly different and carrying a new variant of the trojan.
This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now email@example.com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.
The actual layout of the email remains the same:
The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf.exe.
The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX.
This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).
At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total.
UPDATE 04/12/2013 15:34 (Belgian local time):
The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available.
At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.
UPDATE 05/12/2013 00:10 (Belgian local time):
This campaign is still going strong as MX lab keeps on intercepting this type of emails. New variants are emerging as well (too much to list them but below a few new examples) and the subject of the message is now “Attention: Lost/Missing package”.