14 DAY TRIAL // Security researchers from Vietnamese security vendor Bkis, warn of a new wave of spam emails distributing the Oficla trojan, which pose as package delivery failure notifications from the United States Postal Service (USPS).
The rogue messages come with a subject of "USPS Delivery Problem NR#######" (where # is a random digit) and have a spoofed From field to appear as originating from a [email protected] address.
What sets these emails apart from other Oficla distribution campaigns is the use of an image instead of plain text to deliver the message. This technique attempts to trick simple anti-spam filters.
The image shows the logo of the United States Postal Service and an unusually well formulated message that reads:
"Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.
"Please print out the shipment label attached [USPSLabel.doc] and collect the package at our office."
The attachment is actually called USPSLabelDoc.zip and contains a variant of the Oficla trojan downloader, which as of today has only a 32.6% detection rate on VirusTotal.
According to Nguyen Van Sao, malware researcher at Bkis, the trojan drops a file called bfky.ojo in the system32 folder and adds it to the [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell] registry key in order to start on each system reboot.
Oficla, also called Sasfis by some vendors, is a family of downloader-type trojans, which are commonly used as distribution platform for other malware; rogue antivirus programs in particular.
Oficla distribution campaigns such as this one, are one of the primary factors responsible for a spike in the number of emails carrying malicious attachments during recent months.
As usual, people are advised to treat all email attachments with suspicion, including those appearing to originate from known organizations.
While non bulletproof, scanning them on online services like VirusTotal before opening, might serve as a good indication if they are malicious or not.