A new malware distribution campaign that generates emails posing as delivery notifications from United Parcel Service (UPS) is currently hitting people's inboxes.The rogue emails bear a subject of "United Parcel Service notification" and have spoofed headers to appear as originating from a email@example.com address.
The contained message reads: "The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you."
The attachment is called UPSnotify.rar, which is a bit unusual as .zip would have probably made more sense. There is no native support for .rar in Windows.
The archive contains a file called UPSnotify.exe which is a trojan downloader. Once installed, this malicious file proceeds to download and execute additional malware on the computer.
According to independent security consultant Dancho Danchev, the threats associated with this attack include a fake antivirus, a Gbot backdoor and a variant of W32.Pilleuz which currently has a low detection rate.
An interesting aspect of this Pilleuz version is that it contacts gmail.com, yahoo.com and hotmail.com for no reason, except to throw researchers off.
"As speculated, cybercriminals have started feeding legitimate sites into their C&C communication patterns in an attempt to undermine community efforts aimed at tracking their malicious activities," Danchev says.
This technique was recently put into the spotlight because SpyEye botnet masters used it in an attempt to mess with automated C&C server tracking services.
Users are advised to treat email attachment with extra caution, even if they appear to originate from legitimate sources. Online scanning services like VirusTotal can prove very useful at determining if a file is malicious or not.
Also, users should be aware that the name of parcel delivery services like UPS, DHL, USPS, FedEx and others are constantly abused to distribute malware. When in doubt, always call the company over the phone to enquire about the package.