14 DAY TRIAL // In case you’re in the UK and you’re expecting a package, watch out for scam emails that purport to come from the Royal Mail Group. The bogus notifications are used by cybercriminals to spread a piece of malware.
The emails are entitled “Mail – Lost / Missing package” and they read something like this:
“Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.”
The attached file, Royal-Mail_B0AE39A385.zip, stores a PDF document. While it might look harmless, MX Lab experts warn that the file hides a Trojan downloader.
Once it finds itself on a system, the threat creates a new process, adds itself to the Windows registry in order to stay persistent and changes firewall policies.
The malware is capable of stealing credentials for FTP clients and Web browsers.
At the time of writing, the threat is detected by four of the antivirus engines from VirusTotal.
In order to protect yourself against such threats, make sure that you never open attachments or click on links in unsolicited emails. If you’re expecting something from the Royal Mail or other courier company, make sure that the attached file is not a .zip and that the links from the notification point to the official website.
Also, make sure that all your software is up to date and that an antivirus is running on your machine. Modern security solutions are capable of detecting a threat even if they don’t recognize its signature, based on its behavior.