Another round of spammed emails are arriving in users inboxes today. This round of emails have been socially engineered to trick users into thinking a package has been shipped on their behalf by DHL. The email contains a forged “From:” field pretending to originate from DHL.
The email scam contains two hyperlinks within the body of the message. Both hyperlinks “Get Shipment Info” and “Tracking Page” if clicked on direct the user to a malicious webpage where it prompts to download and save the file, "Delivery_Information_ID-004588020234-Z31.zip". The downloaded archive contains the malicious PE file (Md5=>5aab918be7e74cf29251fc27d420a1b3).
Here is an example email:
Upon analysis of the Trojan, we have observed that the file drops files at the following locations-
%Application Data%\randomname_folder\randomename_file.exe
The following registry entry is also created on the system:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{alpha_numeric}="%Application Data%\randomname_folder\randomename_file.exe"
In addition to updating the Thirtyseven4 Antivirus virus scanner for these threats and future similar threats, the Thirtyseven4 Browser Protection module will be immediately updated to block any future websites should this Trojan start attempting to reach malicious websites.
| 
