Threat Alert: FAKE USPS NOTIFICATIONS

• Threat actors impersonated the United States Postal Service (USPS) to trick victims into installing malware on their computers.
• Opening links within Certified Mail-themed email messages and following on-screen ClickFix instructions executes malicious code that installs the XWorm malware.
• XWorm is a type of remote access trojan (RAT) that gives attackers complete control over infected computers.

How is it used in the wild?

• Impersonated USPS Certified Mail communications claim the recipient’s address must be verified before a package from the U.S. Department of Labor can be delivered.
• Messages contained a fake image of a purported Certified Mail envelope, indicating that OSHA-related documents are enclosed.
• Buttons that contain URLs in the message body lead to a convincing but fake verification page.
• Recipients are instructed to input a series of ClickFix-style shortcut keys to pass a fake Turing test and access the delivery verification page. Following the prompt executes a series of PowerShell commands that lead to the download and execution of XWorm
  

Key Action: Stay Alert!

• Go beyond surface clues. Familiar logos, branding, and names are not automatic indicators that an email or website is safe. Identify impersonation of legitimate organizations in emails by closely examining the headers and senders of unsolicited emails.
• Report ANY suspicious emails via Phish Alarm.