Infected DHL Emails Target Spanish Speakers

[tipo]

Malware distributors are targeting Spanish speakers through fake DHL failed delivery notification emails that carry a variant of the Oficla trojan.

The "From" field of the emails is spoofed to appear as if they originate from "DHL Servicios" and the entire message contained within is written in Spanish.

The fake emails are different from most DHL spoofs, because they abuse an real DHL email template, which includes the company's logo, images, color scheme and contact information.

This email template abuse technique has been very common during the second half of this year, when it was used to mimic communications from popular services like Facebook, Twitter, LinkedIn, Gmail and many others.

The lure used in this new DHL-themed attack is the same as in English variants observed in the past. The emails claim that a package could not be delivered because of a bad shipping address.

Recipients are told that the parcel is available for pick-up at the local post office and are instructed to print the shipping label found inside the email attachment in order to retrieve it.

The attachment is called Etiqueta_ID#####.zip (where # is a random digit) and contains a folder with malicious a .exe file inside.

The file has a deceptive Excel document icon and installs an Oficla variant. Trojans from this family of malware are commonly used as distribution platforms for other malicious applications.

They are part of pay-per-install (PPI) schemes in which other criminals pay the trojan's authors to deploy their malware to as many computers as possible.

Oficla is commonly used to distribute scareware, rogue antivirus programs that bombard users with bogus security alerts in an attempt to trick them into paying for a license key.

"I'm not sure who would want to go through all of the clicking trouble required to be infected by this trojan, but I'm sure it works," Fred Touchette, researcher at email security vendor AppRiver, writes.

"I can only assume that these files are foldered and then zipped in an attempt to evade detection by anti-virus software that doesn't look that deep, though I think most do," he adds.

Users are advised to treat all email attachments with suspicion, even when they appear to originate from trusted or known sources. It's strongly recommended to scan such files on services like VirusTotal before opening.