PDF Malware is Back in Season

Avid readers of the GFI Labs blog can attest that they're no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer. What happens more often is that systems get infected and users are left wondering what happened.

Case in point—

click to enlarge

Our researchers in the AV Labs have been seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label". The message body reads as follows:

Hello!

Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.

Please print out the shipment label attached and collect the package at our office.

United States Postal Service

{long line of unreadable characters}

Here is what the attached file looks like once downloaded onto a system:

When executed, it connects to the IP address, 91(dot)221(dot)98(dot)29, and downloads the file named step.exe, which is a variant of FakeSysDef, a rogue malware. It also checks on the following websites, all of which are from Russia:

• followmego12(dot)ru
• hidemyfass87111(dot)ru
• losokorot7621(dot)ru
• mamtumbochka766(dot)ru

Doing site checks could mean a lot of potential actions this malware might do, like downloading other binaries / components onto the infected system, updating a copy of itself, posting information to these sites, or waiting for commands from its controller. As of this writing, the file does not download other binaries or additional component files. Fortunately, we detect this malware as Trojan.Win32.Generic!BT.

As always, steer clear from these kinds of emails, especially if you haven't made transactions with such companies. When in doubt, double check with the supposed sender by calling their office for confirmation, but do not reply to the sender's email address. With Black Friday and Cyber Monday (not to mention Cyber Weekend and the holiday season) just around the corner and majority of the people everywhere are shopping online, it is wise to expect such attacks to multiply further in the coming days and weeks. Such an attack is not new; however, many are still falling for it. It's time to wise up.

Jovi Umawing (Thanks to Matthew, Robert, and Adam)