{"id":16491,"date":"2022-07-06T15:15:39","date_gmt":"2022-07-06T15:15:39","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?page_id=16491"},"modified":"2023-04-05T12:30:17","modified_gmt":"2023-04-05T12:30:17","slug":"spoofed-dhl-shipment-notification-delivers-cerber-ransomware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/spoofed-dhl-shipment-notification-delivers-cerber-ransomware\/","title":{"rendered":"Spoofed Dhl Shipment Notification Delivers Cerber Ransomware"},"content":{"rendered":"
Continuing with the never ending series of malware downloaders is an email with the subject of DHL Shipment Notification : 6349701436 pretending to come from DHL Customer Support <support@dhl.com> delivers Cerber ransomware.<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
DHL has not been hacked or compromised. They are not sending these emails to you.<\/p>\n
This is another one of the files that unless you have \u201cshow known file extensions enabled<\/u><\/a>\u201c, can easily be mistaken for a genuine DOC \/ PDF \/ JPG or other common file instead of the .EXE \/ .JS file it really is, so making it much more likely for you to accidentally open it and be infected.<\/p>\n 9 January 2017:\u00a0 P_rek.zip: Extracts to:\u00a0Pickup \u2013 DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js \u00a0Current Virus total detections<\/u><\/a>:\u00a0\u00a0Payload Security<\/a>\u00a0<\/u> shows a download\u00a0 from (\u00a0VirusTotal<\/a><\/u>)\u00a0 which from the network noise looks like Cerber ransomware, although neither Payload Security nor any Antivirus on Virus total detect it as Cerber<\/p>\n One of the emails looks like:<\/p>\n From<\/strong>: DHL Customer Support <support@dhl.com><\/p>\n Date<\/strong>: Tue 24\/01\/2017 03:53<\/p>\n Subject<\/strong>: DHL Shipment Notification : 6349701436<\/p>\n Attachment<\/strong>: -EXPRESS -Date20170120.zip<\/p>\n There are several different named attachments with this campaign. _Dhl_expr. DATE20170120.zip \u00a0\u00a0-EXPRESS -Date20170120.zip and probably other variants. All extract to the same named .js file Pickup \u2013 DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js<\/p>\n Body content<\/strong>:<\/p>\n Notification for shipment event group \u201cDelivered \u201d for 23 Jan 16.<\/p>\n