Yes, you've read the title right. Not the usual spam/malware attachment, but in fact just a picture of UPS... which of course is clickable.
But wait! Seems like the bad guys forgot a letter in their HTML (facepalm). I received the following mail:
Subject of spam email: UPS #Print your postal label
Since they forgot the "h" in "http", the image is incorrectly displayed. What it should have been:
|Your package was not delivered. You are asked to print the label|
The mail is coming from (related to the Asprox botnet):
220.127.116.11 - IPVoid Result
What happens when you click on the "Print a shipping label" (or what it should have been):
If the file gets executed, it drops a copy of itself to the %appdata% folder and tries to connect to the following IPs:
18.104.22.168:8080 - IPVoid Result
22.214.171.124:8080 - IPVoid Result
126.96.36.199:8080 - IPVoid Result
188.8.131.52:8080 - IPVoid Result
184.108.40.206:8080 - IPVoid Result
220.127.116.11:8080 - IPVoid Result
18.104.22.168:8080 - IPVoid Result
22.214.171.124:8080 - IPVoid Result
126.96.36.199:84 - IPVoid Result
Also when executing the file, an instance of svchost (malware injected into it, thanks to SteveK for the headsup) gets started and opens an empty Notepad file:
|Empty Notepad file created by the malware|
If anyone has an idea on the why of this,be sure to let me know. Maybe to convince you it's really a UPS label after all? Second fail of the day, should have at least included some rubbish text in there.
Pretty simple. Never open any emails from unknown senders, do not click on any links and certainly do not open any attachments.
Bells should be ringing already when you have not ordered anything. Always be wary when receiving mails where you need to click on a link or open an attachment to view this or that. Ask yourself:
"does this look legit?" If the answer is no, you know what to do.