MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Failed delivery for package #0231764” from Canada Post regarding a failed attempt to deliver an item.
This email is send from the spoofed address “Canada Post <firstname.lastname@example.org>” and has the following body:
We attempted to deliver your item on Jul 2nd, 2014 , 05:44 AM.
The delivery attempt failed because no person was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.
If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: RT000961269SG
Expected Delivery Date: JUL 2nd, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
The shipping invoice can be viewed online, by visiting:
To download the shipping invoice, visit the following link:
© 2014 Canada Post Corporation
*** This is an automatically generated email, please do not reply ***
The first embedded URl hxxp://documents-signature.com/pdf_canpost_RT000961269SG.pdf leads to a website that shows a PDF file with a quite funny image (no offense intended):
The second embedded URL hxxp://documents-signature.com/pdf_canpost_RT000961269SG.zip leads to a malicious file pdf_canpost_RT000961269SG.zip that contains the file pdf_canpost_RT000961269SG.pif.
The trojan is known as Backdoor.Bot or HEUR/Malware.QVM07.Gen.
At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total.