- Security News
- Cybercrime & Digital Threats
- Threat Actors Deliver Courier-Themed Spam Campaign with Attached ACE Files
Insights and Analysis by Miguel Ang
Trend Micro researchers detected a new courier service themed malicious spam campaign that uses ACE files (detected by Trend Micro as Trojan.Win32.GULOADER.A) as attachments. The samples were gathered from our honeypot.
Figure 1. Sample DHL-themed spam email
The ACE file contains a zip file and an executable payload, which acts as a downloader upon extraction and execution.
Figure 2. Attachment Contents
The zip is password protected and contains another executable.
Figure 3. DHL themed spam
The binary is a downloader that will access a link to download its payload, set up a startup registry, and execute the payload using a VBS script. The indicated link does not download a file. However, the setup still makes future compromise possible.
Figure 4. Binary file from the malicious attachment
We have been receiving other spam samples with the same payload. ACE is a data compression archive produced by WinACE. It can be opened using tools such as WinACE or BitZipper.
Delivery services themed campaigns are not new; earlier campaigns we detected delivered backdoor, Emotet, trojans, and other malware types. Other payloads made it possible to intercept text messages.
Filename | SHA-256 | Trend Micro Pattern Detection |
DHL Shipment Arrival Notification.exe | accfdbd1af174d1134015daa4bc39ee1 b5c8b88df4ecee8ea0c9cda660bb18c7 |
Trojan.Win32.GULOADER.A |
DHL Shipment Arrival Notification.ace | 1e6db9987ba9662be6f49c006b042766 f85027266427d6e3b3c62faac310542d |
Trojan.Win32.GULOADER.A |
DHL Shipment Arrival Notification.zip |
eaa6bbbfd75eab17c2808b0c2dd4a5d5 a5ee473cc7cd5e93ce4302c4f830202d |
N/A |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.