Threat Actor Impersonates USPS to Deliver Backdoor Malware

The campaign is consistent with emerging tactics from bad actors to use increasingly sophisticated social engineering and spoofing to deliver malware.

A new threat actor has been found  impersonating the U.S. Postal Service (USPS) and other government agencies to deliver and install backdoor malware to various organizations in Germany, Italy and the United States, according to new research.

The campaigns, which researchers from cybersecurity firm Proofpoint observed between Oct. 16 and Nov. 12, are consistent with emerging tactics from bad actors to use increasingly sophisticated social engineering and spoofing to deliver malware, researchers said. 

The threat actor sent malicious email messages “targeting no particular vertical but with recipients that were heavily weighted towards business and IT services, manufacturing and healthcare,” according to a blog Thursday unveiling the research, posted by the Proofpoint Threat Insight Team.

The actors used different tools to deliver each of the country-specific campaigns, impersonating organizations that would be familiar to users in those countries to try to get victims to take the bait. 

Various lures included emails informing recipients of the urgent need to open documents to avoid tax penalties, or to view tax refunds with a deadline for processing, among others, researchers noted.

The first email campaigns turned up in Germany, where the actors impersonated the Bundeszentralamt fur Steuern (the German Federal Ministry of Finance), using  “lookalike domains, verbiage and stolen branding in the emails,” according to the post.

Another campaign impersonated a German internet service provider to try to lure German organizations to click on malicious attachments. 

For its German campaigns, the actor used commercial software, Cobalt Strike, in its attacks. The tool is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool, researchers said. 

Although this software is legitimately used, this is not the first time bad actors have used it for malicious purposes. Other threat actors, including Cobalt Group, APT32 and APT19, also have deployed and executed campaigns using it as malware. 

Attacks in Italy and the United States showed the threat actor using slightly different types of malware but still employing the impersonation tactic.

In its most recent campaign, observed on Tuesday, Nov. 12, the actor targeted organizations in the United States by attempting to deliver malicious Microsoft Word attachments to victims that deployed the IcedID banking trojan.

This campaign was noticeably different than previous European campaigns in that the actor chose a .com lookalike ( instead of an .icu domain, which the other campaigns used. 

However, the campaign did show a hallmark of previous emails in that it delivered a malicious Microsoft Word attachment with a purported RSA SecurID key, similarly formatted to the one used in the European campaigns, researchers said.

Researchers also observed the actor distributing Maze ransomware, employing similar social-engineering techniques that it uses for Cobalt Strike, while targeting organizations in Italy by impersonating the Agenzia Delle Entrate, the Italian Revenue Agency.  

Overall, the newly observed activity is evidence of a growing trend that Proofpoint and other security teams already have seen, in which email-based attacks are becoming more socially savvy, researchers said.

“The increasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over quantity appearing in many campaigns globally across the email threat landscape,” Proofpoint researchers wrote.


Suggested articles


  • Sorry Providingthisisbadsecurityops on

    Please get rid of the auto play videos. They are annoying, and, will likely lead many including myself to stop reading your site.
  • I am not putting my email in! on

    I'm definitely seeing an uptick in untargeted (fake) UPS/Fedex spams trying to get clicks, including mobile txt attempts. Thankfully I have a 'really' dumb phone that has no idea what the http internet is, and I block HTML in my email clients by default, along with remote images and everything else. As a result, I am not being enticed to buy anything by email spam campaigns with flashy impulse-click-me images, and though Alibaba and Amazon might lose a nickel wagering on my next potential purchase habit, I'm also avoiding 99% of likely phishing possibilities. I guess the question is... why do enterprise/fortune grade orgs still allow (and depend on!) barely-sanitized public email? It's infrastructure built on quicksand in every direction. Why do we do this to ourselves, because everyone else does? Isn't that really it? Rubes of convenience, convincing each other to be easy marks because... #marketing goal? (Alright, so it's a rant now.)
  • Anonymous on

    I wish pics were allowed. I received an email stating that I had ordered a service for a T-10 Firewall (300 to 500 online) and Windows DEFENDER (included in Windows 10) for a reoccurring price of $1549.99 USD. They want you to take the bait so their Specialists can undo nothing ang again your data. Nice try sucker.....BEWARE people
  • Paul on

    How is this new? I have been getting fake USPS/UPS emails with questionable attachments for at least five years. Maybe it's more sophisticated looking now, but it is by no means a new attack strategy.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.