Trojan Express Delivery

In the past couple of days, Symantec has observed a spike of email attacks that are designed to distribute malicious threats. All of the observed samples are spoofed to appear as if they are legitimate delivery warnings or notifications from UPS or Post Express. The message text asks recipients to open the zipped executable file for further details or actions necessary to take delivery of the item.

Below are the sample headers observed in this spam attack:

From: "United Parcel Service" <info***[email protected]>
From: "UPS� Customer Services"<***@secureserver.net>
From: "United Parcel Service" <***@dhl.com>
From: "Neil Molina" United Parcel Service  <[Details Removed]@ [Details Removed]>
From: "Kimberley Miner" United Parcel Service  <[Details Removed]@ [Details Removed]>

Subject: United Parcel Service notification 40983
Subject: Delivery Status
Subject: UPS: Your Package
Subject: United Parcel Service notification
Subject: United Postal Service Tracking Nr.

From: "Post Express Support" <postmail-int[Details Removed]@[Details Removed]>
From: "Post Express Information" <postmail-usa. [Details Removed]@[Details Removed]>
From: "Post Express Report" <postmail-usa. [Details Removed]@ [Details Removed]>
From: "Post Express Office" <postmail-usa. [Details Removed]@[Details Removed]>
From: "Post Express Information" <postmail-usa. [Details Removed]@[Details Removed]>

Subject: Post Express Office. Package is available for pickup. NR03909
Subject: Post Express Office. Delivery refuse. NR4245855
Subject: Post Express Office. Track your parcel. NR06678
Subject: Post Express Office. Error in the delivery address. NR4061172
Subject: Post Express Office. Get the parcel NR31215

Once the recipient downloads the compressed file, the following threats are installed:

UPS tracking number.exe was detected as Trojan.FakeAV.
UPS notify.exe was detected as Backdoor.Cycbot.
Post_Express_Label.exe was detected as Trojan.Sasfis.

A couple of spam samples are shown below:


 

Symantec analyzed the attacks further and found that the increase in malicious activity, sent from diverse geographical locations, indicates that spammers are working to rebuild their botnets after the Rustock takedown.

Symantec recommends that users adhere to the basic practice of not opening or downloading any suspicious attachments from emails such as those described above. Also, install all security patches and keep antivirus definitions up to date to prevent the compromise of personal machines or networks.
 

Rustock Takedown’s Effect on Global Spam Volume

When Brian Krebs posted a report about Rustock botnet takedown, Symantec observed a decline in overall spam traffic. Symantec.cloud posted a blog about this, and the Wall Street Journal is now reporting that Microsoft led this takedown.

On March 16, Symantec saw global spam drop 24.7% compared to March 15. On March 17, global spam volume dropped another 11.9% compared to March 16. Compared to a week prior, the volume on March 17 was down 40.4%.

As we typically see with a drop in global spam volume, the overall spam percentage saw a similar decline when spam volume fell. The increase seen on March 19 and 20 can be attributed to a weekend anomaly when the spam percentage is typically higher than on weekdays.

Symantec has kept a close eye on spam volume since Rustock temporarily ceased activity back in December. When Rustock, along with two other botnets, “fell asleep” on December 26, we saw a big decline in spam volume. The chart below shows the percentage decline in global spam volume using the trigger event as a baseline. While the fate of red line (representing current volume) remains to be seen, it looks to be mirroring the drop we saw back in December.