Malware-spreading emails that abuse the names of popular courier companies such as DHL, FedEx or the UK’s Royal Mail are not uncommon. However, it’s not often that such spam runs are utilized to distribute Mac malware.
Researchers from Sophos have come across a fake FedEx email entitled “Pending Parcel for Jonathan.”
“We wish to inform you that we have a pending parcel for the past 10 days bearing your name Mr. Jonathan Sidebottom, with parcel number (MV-45-QA566). The parcel was sent for delivery on the below mentioned address but nobody was there to receive it,” the bogus notifications read.
The link from the email purports to lead to fedex.com.ch, but it doesn’t. This is where it all gets interesting.
If the link is clicked from a mobile device, nothing happens. If the link is visited from a computer running a web browser other than Safari, a piece of Windows malware is served. The threat is a “vague relative” of the ZeuS banking malware, experts noted.
However, in case the link is clicked from Safari, Apple’s web browser, a piece of Mac malware is delivered, hidden inside a ZIP archive file.
At first sight, the malicious file appears to be a harmless PDF document. However, when the user wants to open it, he/she is warned by the operating system that “Scanned_Copy_of_parcel” is actually an “application downloaded from the Internet.”
Users who ignore the warning are actually allowing a piece of malware dubbed OSX/LaoShu-A to make its way onto their systems. It’s worth noting that the operating system doesn’t display any warning regarding the developer because the malicious app is digitally signed.
LaoShu-A is a Remote Access Trojan (RAT) that allows cybercriminals to take control of an infected computer. Experts say the threat allows cybercriminals to search and exfiltrate certain file types, take screenshots, and perform other actions.