The Tacticlol downloader, responsible for a lot of infections over the past year, propagates in two ways: via drive-by downloads, and as a .zip archive attached to messages. Maybe the spam filtering companies finally caught on to the trick, or maybe the Tacticlol distributors are just trying to mix it up, but the latest sample to come over the transom has me scratching my head.
Like most others, this sample came attached to an email made to look like a message that UPS would never send. Once again, the message tries to convince the recipient that the attached file is a shipping label the recipient needs to open and print before he or she can “receive the parcel.” And, as always, the attachment contains an executable installer for the Trojan.
Dear customer Your parcel has arrived at the post office on October 9. Our Driver was unable to deliver the parcel to your address. To receive a parcel you must go to the nearest UPS office and show your mailing label. Mailing label is attached to this letter. You need to print mailing label, and show it in UPS office to receive the parcel. Thank you for your attention. UPS International Services.
But this time, instead of sending a .zip archive with a .zip extension, they sent a message with a .zip archive that has a .jpg extension. And, yeah, that just doesn’t work.
The file isn’t a JPEG image file. If you try to open it in a browser or an image editor, the editor simply errors out and tells you it isn’t an image file, and the story ends right there. I’m sure some Russian malware distributor has been double-facepalming over the waste of a perfectly good scam. Social engineering: You’re doing it wrong.