By Dancho Danchev
From UPS, USPS to DHL, bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails.
Continuing what appears to be a working social engineering tactic, cybercriminals are currently mass mailing bogus DHL ‘Express Delivery Notifications’ in an attempt to trick users into executing the malicious attachment. Once executed, it opens a backdoor on the affected host allowing the cybercriminals behind the campaign complete access to the infected PC.
Sample screenshot of the spamvertised email:
Sample detection rate for the malicious attachment: MD5: b0d4dad91f8e56caa184c8ba8850a6bd – detected by 34 out of 42 antivirus scanners as Trojan-Downloader.Win32.Andromeda.daq.
What’s particularly interesting about this MD5 is that there are files named T-Mobile-Bill.pdf.exe that have also been submitted to VirusTotal, indicating that there’s a another T-Mobile themed campaign, that’s currently circulating in the wild.
PEiD Signature of the file: BobSoft Mini Delphi -> BoB / BobSoft. It also creates %AllUsersProfile%\svchost.exe on the system, plus a Registry Value – “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts.
Webroot SecureAnywhere users are proactively protected from this threat.