Impersonators of DHL are targeting users with a phishing campaign that spreads the Muncy trojan. The emails arrive in a user’s inbox from the address “support@dhl[.]com” with the subject line “DHL SHIPMENT NOTIFICATION” in an effort to trick the receiver. Included in the email is a malicious attachment that downloads the Muncy trojan if opened. Once this is done, the malware scans for FTP data amongst other information. After this step is completed, the next process involves the scanning of the C: drive and sending any information obtained back to the domain owned and operated by the criminals, “samreed[.]net.” The user’s devices did not seem to have persistence while the malware was going through its life cycle.
Analyst Notes
Users should be skeptical when receiving unexpected emails. In this instance, if a user is not expecting an order from DHL the email should be ignored as it is more than likely a social engineering effort with malicious intent.
