Showing posts with label FedEx. Show all posts
Showing posts with label FedEx. Show all posts

Tuesday, 26 February 2013

FedEx spam loads malware


Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered:

Print your receipt!

















    Mail details:
Subject: Shipping Information‏


Sender: stoiciu_ro01@uhost.ro


X-Originating-IP: 195.78.124.42
Content: 
FedEx
Tracking ID: 1795-21492944
Date: Monday, 18 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 20.Courier was unable to deliver the parcel to you at 20 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt  
Best Regards, The FedEx Team.
FedEx 1995-2013


The 'Print Receipt' button points to a filesharing website, where a ZIP file gets downloaded. Inside the ZIP is an EXE file with a neat little Word icon. When running the file:


Postal Receipt  information













You get a Notepad file with some information. Is your name Mark Smith? No? Then you're infected. Is your name Mark Smith? Then you're infected anyway. 

Does this behaviour look familiar? Well noticed, we've seen this in a post from some months ago:



Gathered files. Contact me for a copy.









Some more details about the downloaded file:
Postal-Receipt.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report


The following file was dropped in the %appdata% folder:
ujfhmdlk.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report


The malware tries to connect to the following IPs:

46.105.143.110
50.115.116.201
74.117.61.123
77.79.81.166
81.93.248.152
87.106.51.52
91.121.140.40
91.121.28.146
93.125.30.232
95.140.203.241
109.235.252.2
118.97.15.13
122.155.18.53
149.62.168.76
188.165.205.46
190.111.176.13
190.111.176
202.153.132.24
213.229.106.32
217.11.63.194



It performs the following GET request on port 8080, probably to download more malware.  
(I was however unable to reproduce any additional droppers or system modifications): /509A37A363A4A88C8B6BBD234F063B9CEE4072C470F04B0AB239C05FF89DA4B98D1E54BF77C0CD96CD8BC4004B3459C13194D0F9E0D64CF108A635F7468E817F408A20EF7149233F1356D2B3565F49





Conclusion
  • Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Have you indeed ordered something? Check the status of it directly on the supplier's website.
  • Don't be fooled by the Adobe or Word icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running. In this case, the payload is at least 4 months old! This should be easily detected by your antivirus product.


    By at No comments:
    Labels:forex, iqoption, pubg Hacked , , , ,

    Friday, 2 September 2011

    Increase in malicious spam



    Rodel Mendrez from M86 Security labs has made an excellent post on a Massive Rise in Malicious Spam:

    http://labs.m86security.com/2011/08/massive-rise-in-malicious-spam/





    As he notes in his conclusion, "It seems spammers have returned from a holiday break and are enthusiastically back to work."





    So I decided to check out if I had received some spam as well. Jackpot ;-) !





    UPS notification























































    Re: End of July Statement Required









    Your credit card has been blocked











    ACH Transfer Review







    Most of the files are displaying a Word or PDF icon to trick

    the user in opening the file:





    Some examples of attachments, with their respective

    VirusTotal results:



    Invoice_08.17.2011_Collcod.exe

    MD5: cf0397bb622e4ed9dfdeb07fcbfa9687

    VirusTotal Report



    MasterCard_invoce_ID73284783275943.doc.exe

    MD5: 0b7eba77dd4bcea3c670c4a664e98778

    VirusTotal Report

    UPS_Document.exe

    MD5: 17f9148b130a94ab1f50030ebbf2415a

    VirusTotal Report



    form-62091.exe

    MD5: e18d8cb2a4264a3c559d7967b3c6ab99

    VirusTotal Report



    When opening either of these files, you can end up with a rogue.

    One example rogueware I got was "System Repair":



    System Repair rogueware



    The dropped file that is launching the rogueware:



    pusk3.exe

    MD5: 27077c2058983bb76bd09cdad69f7bde

    Result: 36/44 (81.8%)

    VirusTotal     Report

    ThreatExpert     Report

    Anubis Report







    Conclusion

    Conclusion is pretty simple: Do not open any attachments from unknown senders.

    If you happen to be infected with System Repair, you can for example use the guide on Bleepingcomputer:

    http://www.bleepingcomputer.com/virus-removal/remove-system-repair

    By at No comments:
    Labels:forex, iqoption, pubg Hacked , , , , , ,

    Wednesday, 16 March 2011

    FedEx notification #85645


    You might have read my previous blog post:

    This time it's FedEx to be the subject of a new and highly active spam campaign.

    I received different emails, all containing a notification I can find more information about my package in attachment. The subject of one of these mails was "FedEx notification #85645"

    They all have a different tracking number behind the #, but the content is always the exact same thing:

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you. © FedEx 1995-2011

    In all of these spam emails, you will find an attachment, which can be called either
    FedEx letter.zip, FedEx notice.zip or document.zip.


    Document.exe attached to email


    Just like the case for the UPS spam campaign, again an Adobe Acrobat icon to trick you. In fact this "Document" file is not a PDF file, but an executable which can infect your computer.


    Document.exe
    Result: 15/43 (34.9%)
    MD5: 09410950dd80df3083ae87cf839643e2


    FedEx notice.exe
    Result: 31/43 (72.1%)
    MD5: 5fe59b88e60f000c7e437518cc6a6cfe
    ThreatExpert


    So far the subject of this FedEx may differ from these 3:

    FedEx notification #[random number]
    FedEx Reminder – Invoice [random number]
    FedEx ticket #[random number]



    Conclusion

    You should never trust an email which has:

    - only a URL included in the message
    - an attachment that you need to open to view 'information'
    - crappy spelling and grammar if there is content in the message
    - been sent out to everyone in the sender's address book
    - been sent from an unknown sender
    - promises you can buy something for a very cheap price
    - No subject or strange subjects ( eg.: "0 enjoy yourself" )

    Never reply to this kind of email, but delete it immediately without opening it.

    If you have (unintentionally) downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virus scanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

    By at No comments:
    Labels:forex, iqoption, pubg Hacked , , , ,
    Subscribe to: Posts (Atom)