Analysis by: Merianne Polintan

Cybercriminals are leveraging the mail courier, United Parcel Service (UPS) to deliver a backdoor on user systems. The spammed message bore the subject, NOTIFICATION - Package Delivery Confirmation and contained links to the tracking site and .PDF copy of the supposedly shipping invoice. However, instead of an invoice, a malware (detected as BKDR_VAWTRAK.A) will be downloaded once the user accessed the said URL. As part of its social engineering tactics, this spam run used a recipient's email address that is similar to the UPS address. Futhermore, the malware-hosting site is hyperlinked to the legitimate UPS website to trick them into clicking the malicious URL that starts the infection chain. 

When users executed the backdoor, it steals stored information found in certain FTP clients and email credentials from Outlook, Windows Live Mail, and PocoMail among others. While, this spam run is not unusual,  users are recommended to remain vigilant against similar spam attacks.

The spam mails and malware were already detected and blocked by the security solutions powered by the Trend Micro™ Smart Protection Network™.

 SPAM BLOCKING DATE / TIME: 24 August 2013 GMT-8
 TMASE
  • TMASE Engine: 7.0
  • TMASE Pattern: 0102.003