Fake delivery failure from UK Mail contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Delivery failure , July 28, 2014 BN_1479139”.

This email is send from the spoofed address “UKMail Express <77ed27c2@alt-gifts.com>” and has the following body:

An urgent service package has come to the local post office. Delivery was rescheduled because our courier was not able to deliver the package [RECEIVER NOT PRESENT].
You can find more information including contact details regarding your package in the attached file.

UK Mail is the UK’s leading independent postal services provider and was the first company to offer services delivered by your postman.Our nationwide, overnight distribution network links with Royal Mail’s postman and postwoman for final delivery, ensuring that we help to support the UK’s universal postal service. All rights reserved. Read our Privacy Policy and Terms and Conditions

Copyright © 2014 UKMail Group plc

The attached ZIP file has the name BN_1479139.zip and contains the folder with name report_form2_28-07-2014.pdf. Inside this folder the 115 kB large file report_form2_28-07-2014.pdf.scr can be found.

The trojan is known as Inject2.APMO, TR/Crypt.Xpack.94374, Win32/TrojanDownloader.Agent.SBP, Trojan.Win32.Inject.ohic, Troj/DwnLdr-LTD or Win32:Trojan-gen.

At the time of writing, 29 of the 54 AV engines did detect the trojan at Virus Total.

Use the Virus Total permalink for more detailed information.
SHA256: 741c3e6b68efe3f6c89787bac57237a70994031300258eb2dc472ec19a94f717