Convincing UPS Email Scam Delivers Backdoor

By now, most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate email notifications. However, some can look convincing, which is why a good social engineering education can be beneficial in the long run.

We recently found an email sample spoofing the popular mail courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its true, malicious intent.

As seen in the email screenshot above, the malware-hosting site is hyperlinked to the legitimate UPS URL where the .PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however, when they clicked the URL it leads to the downloading of the malicious ZIP file. To further convince users of its legitimacy, the recipient’s email address were created to closely resemble the actual UPS email address.

The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information in several FTP clients or file manager software. In addition, BKDR_VAWTRAK.A also steals email credentials from Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat! among others. In order to avoid detection on the system, this backdoor deletes certain registry keys related to Software Restriction Policies.

According to Trend Micro Software Architecture Director Jon Oliver, this attack was moderate in number, constituting approximately 1 in every 300-400 thousand spam on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent Royal Baby spam outbreak consisted of 1 in every 200 spam on the days of that outbreak.

This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes training like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering.

Trend Micro Smart Protection Network protects users from this threat by blocking the related email message, malware and access to the site.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Convincing UPS Email Scam Delivers Backdoor