DHL Spam arrives with EMOTET

 Analysis by: Michael Angelo Casayuran

This spammed message comes as an empty email with a subject written in German. Similar to most spam of this nature, this spammed message pretends to be a delivery notification from DHL, a known logistics company. The attached .PDF file opened contains a message (Figure 1), telling the user about shipment status available via the link provided. The link leads to the download of EMOTET malware, known to get online banking information.

Figure 1. PDF file content written in German

Further investigation reveals that this particular spam attack is increasing in Germany (Figure 2) as of this writing. Moreover, the EMOTET malware involved in this attack downloads another malware, identified as ROWLIM, which then creates the spam mail for propagation and the chain of infection goes on.

Figure 2. Spam attack records increasing significantly in Germany.

Trend Micro continuously monitors spammers involved in spreading EMOTET. The Smart Protection Network identifies, detects, and blocks all related spammed messages and links associated to it. The public is advised to refrain from clicking any links received from unknown or suspicious mail.

 SPAM BLOCKING DATE / TIME: May 15, 2015 GMT-8
 TMASE INFO
  • ENGINE:
  • PATTERN:1548