Sasfis distibuted via fake U.S. Postal Service emails

If you have recently received an email from the United States Postal Service notifying you that a package you sent wasn’t delivered because the recipient’s address is incorrect, don’t open the attached .zip file.

The image file in the attachment is actually a Sasfis variant, and this well-known downloader Trojan is often used as a distribution platform for other malware.

Vietnamese security company Bkis warns about the danger and points out that upon execution, the Trojan dumps a file called bfky.ojo in WIndows’ System32 folder, modifies a registry key to make it execute each time the system is booted, and then receives commands from its control server located at

This particular Sasfis variant had a pretty low detection rate yesterday (32% on Virus Total), but even if it has improved, users are warned not to open unsolicited emails and be aware that fake warnings supposedly coming from various delivery services (FedEx, UPS, DHL and others) are often used by malware pushers to spread their malicious wares.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss