14 DAY TRIAL // Security researchers warn of a SpyEye distribution campaign which generates failed delivery notifications that purport to originate from a package delivery service.
According to Belgian email security provider MX Lab the rogue emails bear a subject of "Post Express Service. Package is available for pickup! NR1535" and come from a spoofed address.
The message contained within is consistent with traditional package delivery failure alerts that have been used by malware distributors before.
"Your package has been returned to the Post Express office. The reason of the return is 'Incorrect delivery address of the package'.
"Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the Post Express office in order to receive the packages."
The emails are signed by "Post Express Service," but the only service with that name that we could identify is located in Serbia.
It wouldn't be far fetched for cybercriminals to target Serbian users, especially with Trend Micro recently reporting that the highest number of SpyEye infections are located in Poland and not US or UK, as one would expect.
The archive attached to the rogue emails is called Post_Express_Label_85211.zip (the number can differ), and contains an executable file.
The exe currently has an below average detection rate on Virus Total, with only 16 of 43 antivirus engines picking it up as malicious.
Most of them do so under generic signatures and with generic names, but there are a few like Trend Micro or Sophos which detect it as a SpyEye variant.
SpyEye is a sophisticated banking trojan, which first appeared around a year ago as a challenger for the more established ZeuS.
There is reason to believe the two malware families have since joined together under the same author who is currently working on combining their features.
This would be consistent with this new campaign, since failed package delivery notifications used to be a common method of propagation for ZeuS.
As always, people are advised to treat email attachments with extreme caution, even when they appear to come from trusted sources. Online services like Virus Total can serve as a good indication if the files are malicious or not.