Attackers are extensively targeting Internet users by spreading fake USPS (United States Postal Service) emails. This time there are some slight changes in the content of the email but it is nothing that we have not seen before. The subject line reads: “You need to get a parcel”.
The email misguides the user by pretending to be from USPS and claims that they were unable to deliver a parcel due to “an error at postal code”. So in order to rectify this the user has to visit the nearest USPS office to collect the parcel along with the detailed information about the delivery which is attached with the email. Upon extraction of the attached file a .exe file carrying a PDF file icon can be found. This is a malicious file belonging to the TrojanDownloader.Dofoil.O family.
Upon execution, it injects its code into the Windows system process “svchost.exe” and tries to connect the remote server using HTTP protocol. When the connection is established it receives a response that contains encrypted configuration data which may consist of several URL’s and other execution options.
In this case, it is observed that the Trojan file tries to connect to the following malicious domains.
An attacker can also download and install any backdoor files on such an infected machine and can gain full control over the machine remotely.
Quick Heal successfully detects and deletes the attached file.