Troj/Bredo-IG has been spreading through fake USPS spam campaigns.
The campaign includes subjects like:
From USPS id <random number>
Delivery Confirmation From USPS <random number>
Your USPS id <random number>
The campaign has a forged from address usually having a typical format:
The main body of the spam campaign tries to use social engineering to trick the user into checking the attachment included with the email. Examples include:
Dear User ,
Recipient's address is wrong PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER.
USPS Customer Services
We were not able to delivery the post package Please print out the invoice copy attached and collect the package at our department.
The attachments are usually named:
These executables are Troj/Bredo-IG.
Troj/Bredo-IG copies itself to the Windows system folder. It is usually named after the name of a dll in the same directory. Troj/Bredo-IG also drops a <randomnum>.dat file in Windows system folder.
Troj/Bredo-IG installs a service that will have a random name.
The ImagePath of the service points to the copy of Troj/Bredo-IG in Windows system folder passing to the executable option "srv" (<Windows system folder>\randomname.exe srv).
The Start value of the service is 0x2 (Auto Load). The service will also have a Type of value 0x110.