14 DAY TRIAL // Security researchers warn that a new malware-distribution campaign serves a Trojan horse through fake DHL delivery-tracking e-mails. Once installed on a computer, the backdoor also advertises rogue security applications.
The malicious e-mails have subjects of the form "DHL Tracking number ########" (where # represent random digits and capital letters). The message contained inside informs users that, "We were not able to deliver postal package you sent on the [date] in time because the recipient's address is not correct."
The e-mails aim at peaking the interest of potential victims by encouraging them to open an attached .zip file, posing as a DHL invoice. "Please print out the invoice copy attached and collect the package at our office," the fake messages reads.
"The trojan has the threat characteristics of ZBot – a banking trojan that disables [the] firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system," the malware analysts from security vendor MX Lab note.
Graham Cluley, senior technology consultant at Sophos, also warns that, "If you open the file inside the attachment (called DHL_DOC.zip), you will be infected by the Troj/Bckdr-QSL backdoor Trojan horse, which will attempt to take control of your PC."
The Trojan establishes several connections to remote hosts via port 80, from where it downloads a variety of additional malware. Furthermore, one of its components prompts fake security alerts in Internet Explorer, promoting a rogue anti-virus program.
At the beginning of the month, a nearly identical campaign was reported by MX Lab researchers. The difference is that those fake delivery failure notification e-mails were claiming to have been sent by the UPS and not the DHL.
It is highly likely that both campaigns were launched by the same gang of cybercrooks. "As always, be very very suspicious of unsolicited email attachments and make sure that your anti-virus software is properly updated," Mr. Cluley advises.
The first variants of the Zlob Trojan date as far back as 2005, but it has since evolved with an entire family of malware, with new variations being released almost on a daily basis. We recently reported that a Russian programmer included a message for Microsoft's Windows Defender team in a Zlob variant released in December. The message announced his retirement from the malware development scene and move into the exploits/rootkits one.