14 DAY TRIAL // The now famous PDF pieces of malware are being included in some cleverly designed emails which urge the user to access an innocent looking document file, the latest situation featuring the United States Postal Service (USPS).
GFI reports that a wave of emails that alert the user of a failed package delivery has been seen, containing PDF documents which turn out to be a rogue malware.
The message of the body that bears the subject “Package is was not able to be delivered please print out the attached label,” reads: Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.
Please print out the shipment label attached and collect the package at our office.
United States Postal Service
Once the file called USPS report.pdf is downloaded and executed, it unleashes an infection which starts by contacting a certain IP address that serves an executable called step.exe, which turns out to be a version of FakeSysDef.
The final payload, identified as Trojan.Win32.Generic!BT, is a dangerous element that can perform a lot of actions such as download extra components, post information on the internet or execute other commands received from the mastermind that sent it.
As in many cases, the malicious element tries to connect to some Russian domains such as followmego12(dot)ru, hidemyfass87111(dot)ru, losokorot7621(dot)ru, or mamtumbochka766(dot)ru.
This situation should teach users that not everything that looks innocent is truly harmless. Since the attachment might not even be a zip file as in the other failed package delivery spams we've seen, internet users might be tempted to think there's no danger in opening such a file.
As this scenario clearly proves, documents and pictures can easily hide a malevolent piece of software that's after one's assets. Stay clear of any delivery emails, especially if you're not expecting anything.