Threat Actors Deliver Courier-Themed Spam Campaign with Attached ACE Files
Insights and Analysis by Miguel Ang
Trend Micro researchers detected a new courier service themed malicious spam campaign that uses ACE files (detected by Trend Micro as Trojan.Win32.GULOADER.A) as attachments. The samples were gathered from our honeypot.
Figure 1. Sample DHL-themed spam email
The ACE file contains a zip file and an executable payload, which acts as a downloader upon extraction and execution.
Figure 2. Attachment Contents
The zip is password protected and contains another executable.
Figure 3. DHL themed spam
The binary is a downloader that will access a link to download its payload, set up a startup registry, and execute the payload using a VBS script. The indicated link does not download a file. However, the setup still makes future compromise possible.
Figure 4. Binary file from the malicious attachment
We have been receiving other spam samples with the same payload. ACE is a data compression archive produced by WinACE. It can be opened using tools such as WinACE or BitZipper.
Thwarting spam campaigns
Do not download attachments or click links from unverified sources.
If the email comes from a seemingly familiar source, verify via the company’s phone number or other contact details if they indeed sent the email.
If the company sent legitimate emails before, check the new sender’s email address. If it is an entirely different source or the email address is spoofed, the email is most likely spam.
Indicators of Compromise
|Filename||SHA-256||Trend Micro Pattern Detection|
|DHL Shipment Arrival Notification.exe||accfdbd1af174d1134015daa4bc39ee1
|DHL Shipment Arrival Notification.ace||1e6db9987ba9662be6f49c006b042766
|DHL Shipment Arrival Notification.zip
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report