MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “United Parcel Service notification” send from the spoofed address “United Parcel Service <support2pyq@ups.com>”.
The body of the email is made from an image but on our computer the image is broken. The included image UR points to http://1stchoiceindustrial.com/bd32t.jpg but no file is found on this server. I’m sure that we can guess what they are willing to share with us.
The attached ZIP file has the name document.zip and contains the 37 kB large file document.exe.
The trojan is known as TROJ_SPYEYE.SMEP (Trend Micro), Trojan.Agent/Gen-FakeAlert[RnGlobal] (SuperAntiSpyware), W32/Bamital.FA!tr (Fortinet).
At the time of writing, only 5 of the 43 AV engines did detect the trojan at Virus Total.
[Virus Total] via [ComputerSecurityArticles]
I received one today entitled "United Parcel Service notification 56938" from infosec7@ups.com. A zip file is attached and loloks like it's titled "UPS Tracking". The body of the email reads:
ReplyDeleteDear customer.
The parcel was sent your home address.
And it will arrive within 3 business day.
More information and the tracking number are attached in document below.
Thank you.
© 1994-2011 United Parcel Service of America, Inc.