August 31, 2020

Fake DHL shipping waybill email attachment contains the Qbot spyware Trojan

August 31, 2020

Today, I received an email with the subject plainly marked as [SPAM] by Spam Assassin. The rest of the subject read as follows:

RE: DHL单号 Shipment Delivery Air Waybill no 6979374150

Note that it begins with "RE:" followed by mention of the alleged shipping company and a waybill number. The From address falsely claimed to be "DHL Global Inc © " [email protected]. The message body started off with the following plain text...

Dear customer,

Please find the attached Air Shipping Waybill Documents mentioned above that just arrived.

Immediately after this text there was an embedded blurry image purporting to be a scan of a waybill of a shipment from China. Directly under this faked waybill was the following footer...

DHL-Sinotrans International Air Courier Ltd.

No.55 Songshan Rd, Suzhou 215129, China
Phone:+86(512)66892059-5205
Internal VoIP Phone:809-5605
Fax:+86(512)66750262
[email protected]
www.cn.dhl.com
GO GREEN - Environmental protection with DHL
Please consider your environmental responsibility before printing this email.


Under this fake waybill image were a series of corporate claims and icons, all of which are actually one huge image file. The overall file size of this email was 569kb. Attached to the email was a zipfile named: "Shipment Delivery Air Waybill no 6979374150.zip" - which matched the number in the subject. Inside the zipfile as a Trojan Horse spyware installer identified as a severe threat named: "TrojanSpy:MSIL/AgentTesla.AT!MTB" by Windows Defender.

The zipped file was named: Shipment Delivery Air Waybill no 6979374150.exe which if unzipped and clicked upon would launch the spyware installer. This threat is an information stealer meant to steal logins and passwords and send them home to the threat actors running this "malspam" campaign.

This spam, pretending to be a reply (RE:) to a previous email, matches an ongoing email scam campaign identified on August 27, 2020 by Bleeping Computer in an article titled: Qbot steals your email threads again to infect other victims

If you are running a computer with Windows 10 and are allowing Windows Defender to run and it has up to date definitions, the threat will be blocked. If you even try to save the file it will be blocked and deleted. However, under actions there is the dangerous option to Allow the threat to run. Don't do it! If you or a co-worker has allowed this threat to launch, disconnect the computer from your network and start a thorough virus scan.

Posted by Wiz at 9:23 PM |

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



Search


About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.

MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.

Categories

Tag Cloud

Recent Posts

Popular Posts

Archives

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^