A widespread malware delivery campaign in the form of fake “undelivered courier item” emails is targeting both Windows and OS X users, warns Sophos.
The emails in question impersonate a series of existing courier brands such as DHL, FedEx, and the UK Royal Mail, but these malware peddlers have also thought about creating an imaginary service as well, and to create a website for it.
The contents of the emails are nothing new – the potential victim is told that the service is having trouble delivering them a package, and that they should get in touch after checking out the parcel document via a link contained in the email:
Despite the clumsy wording of the email, there are those who will fall for the trick, especially when the cyber crooks use personal information they might have collected or bought from other scammers.
Clicking on the offered link will lead the victims to a website set up by the attackers, which is able to detect whether the visitor uses a mobile browser, Safari, or another desktop browser.
In the first instance, the server delivers an error message, and the user is safe. But if he or she uses a desktop browser, the page serves malware for download.
In the case of desktop browsers which are not Safari, the user is urged to download a ZIP file pretending to be a document with the parcel information, but actually contains an information-stealing Trojan similar to the infamous Zeus malware.
If the user surfs the Internet with Safari, visiting the page will trigger an automatic download of a ZIP file that apparently contains a PDF file. But if the user runs it, OS X detects it for what it really is: a piece of software.
If that is not enough for the user to become suspicious, and he or she ultimately decides to run it, nothing seemingly happens.
But in the background, the malware (“LaoShu”) has been installed and begins working.
“LaoShu-A as good as hands control of your Mac over to the attackers, but its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet,” explains Paul Ducklin.
“In other words, the attackers seem more concerned with digging around on your computer for what they can steal than with abusing your computer and your internet connection to aid and abet other cybercriminal activities.”
The malware is interested in collecting Word, Excel and Powerpoint files and exfiltrate them to a server run by the attackers, as well as in downloading additional malware that will take screenshots and send them to the server.