Fake DHL shipping waybill email attachment contains the Qbot spyware Trojan
August 31, 2020
Today, I received an email with the subject plainly marked as [SPAM] by Spam Assassin. The rest of the subject read as follows:
RE: DHLå•å· Shipment Delivery Air Waybill no 6979374150
Note that it begins with "RE:" followed by mention of the alleged shipping company and a waybill number. The From address falsely claimed to be "DHL Global Inc © " [email protected]. The message body started off with the following plain text...
Dear customer,
Please find the attached Air Shipping Waybill Documents mentioned above that just arrived.
Immediately after this text there was an embedded blurry image purporting to be a scan of a waybill of a shipment from China. Directly under this faked waybill was the following footer...
DHL-Sinotrans International Air Courier Ltd.
No.55 Songshan Rd, Suzhou 215129, China
Phone:+86(512)66892059-5205
Internal VoIP Phone:809-5605
Fax:+86(512)66750262
[email protected]
www.cn.dhl.com
GO GREEN - Environmental protection with DHL
Please consider your environmental responsibility before printing this email.
Under this fake waybill image were a series of corporate claims and icons, all of which
are actually one huge image file. The overall file size of this email
was 569kb. Attached to the email was a zipfile named: "Shipment Delivery Air Waybill no 6979374150.zip"
- which matched the number in the subject. Inside the zipfile as a
Trojan Horse spyware installer identified as a severe threat named: "TrojanSpy:MSIL/AgentTesla.AT!MTB" by Windows Defender.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.