Bogus DHL ‘Express Delivery Notifications’ serve malware

By Dancho Danchev

From UPS, USPS to DHL, bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails.

Continuing what appears to be a working social engineering tactic, cybercriminals are currently mass mailing bogus DHL ‘Express Delivery Notifications’ in an attempt to trick users into executing the malicious attachment. Once executed, it opens a backdoor on the affected host allowing the cybercriminals behind the campaign complete access to the infected PC.

More details:

Sample screenshot of the spamvertised email:

Sample detection rate for the malicious attachment: MD5: b0d4dad91f8e56caa184c8ba8850a6bd – detected by 34 out of 42 antivirus scanners as Trojan-Downloader.Win32.Andromeda.daq.

What’s particularly interesting about this MD5 is that there are files named T-Mobile-Bill.pdf.exe that have also been submitted to VirusTotal, indicating that there’s a another T-Mobile themed campaign, that’s currently circulating in the wild.

PEiD Signature of the file: BobSoft Mini Delphi -> BoB / BobSoft. It also creates %AllUsersProfile%\svchost.exe on the system, plus a Registry Value – “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “Bogus DHL ‘Express Delivery Notifications’ serve malware

  1. Pingback: Cybercriminals impersonate T-Mobile U.K, serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s