Just in time for the holidays, cyber attackers have come up with another customised strategy and are sending out thousands of spam emails with apparent parcel delivery notifications. However, the link leads to malicious program code.
The emails that are currently making the rounds to lure recipients into the malware trap look like this or similar to this. The design is based on the Deutsche Post AG colour scheme and will therefore appear trustworthy to many recipients; despite the fact that the logo is missing completely and the language is far from correct.
Of course, the specified link does not lead to a parcel label but malware code that is downloaded to the victim's computer.
The person visiting the URL receives a file that is supplied by means of a PHP script. If a user has already received malware code at his or her IP address, the file is not sent to this IP a second time.
The file name is DeutschePost_ID672146.251.zip or something along those lines. This archive contains the actual malware, an executable file - the file icon shows a text document but it is actually an .exe file.
The current cases analysed by G Data Security Labs contained Trojan.Generic.KDZ.11929 (Engine A) / Win32:Trojan-gen (Engine B).
The malware disguised as a text file has numerous functions. Here's an excerpt:
At the time of analysis, none of the predefined IPs could be reached. Hence, the malware did not receive any additional instructions at this point and was not able to download additional files. However, G Data Security Labs already know that some of these IP addresses are malware suppliers and there is thus hardly any doubt that additional malware was supposed to be loaded.
The attackers can replace the initially supplied malware and therefore the IP addresses to be contacted as well as files to be potentially downloaded with any other files at any given time and thus change their attack strategy.