Tuesday, February 26, 2013

FedEx spam loads malware


Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered:

Print your receipt!

















    Mail details:
Subject: Shipping Information‏


Sender: stoiciu_ro01@uhost.ro


X-Originating-IP: 195.78.124.42
Content: 
FedEx
Tracking ID: 1795-21492944
Date: Monday, 18 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 20.Courier was unable to deliver the parcel to you at 20 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt  
Best Regards, The FedEx Team.
FedEx 1995-2013


The 'Print Receipt' button points to a filesharing website, where a ZIP file gets downloaded. Inside the ZIP is an EXE file with a neat little Word icon. When running the file:


Postal Receipt  information













You get a Notepad file with some information. Is your name Mark Smith? No? Then you're infected. Is your name Mark Smith? Then you're infected anyway. 

Does this behaviour look familiar? Well noticed, we've seen this in a post from some months ago:



Gathered files. Contact me for a copy.









Some more details about the downloaded file:
Postal-Receipt.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report


The following file was dropped in the %appdata% folder:
ujfhmdlk.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report


The malware tries to connect to the following IPs:

46.105.143.110
50.115.116.201
74.117.61.123
77.79.81.166
81.93.248.152
87.106.51.52
91.121.140.40
91.121.28.146
93.125.30.232
95.140.203.241
109.235.252.2
118.97.15.13
122.155.18.53
149.62.168.76
188.165.205.46
190.111.176.13
190.111.176
202.153.132.24
213.229.106.32
217.11.63.194



It performs the following GET request on port 8080, probably to download more malware.  
(I was however unable to reproduce any additional droppers or system modifications): /509A37A363A4A88C8B6BBD234F063B9CEE4072C470F04B0AB239C05FF89DA4B98D1E54BF77C0CD96CD8BC4004B3459C13194D0F9E0D64CF108A635F7468E817F408A20EF7149233F1356D2B3565F49





Conclusion
  • Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Have you indeed ordered something? Check the status of it directly on the supplier's website.
  • Don't be fooled by the Adobe or Word icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running. In this case, the payload is at least 4 months old! This should be easily detected by your antivirus product.


2 comments:

  1. I've seen a lot of these come to my webmaster@ account. The malware seems to be hosted on compromised Joomla servers within the /components directory (in a "hidden" . directory)

    ReplyDelete
    Replies
    1. Happens quite a lot, not only with Joomla but also Wordpress and other popular CMS systems.

      Thanks for your comment!

      Delete