Spamvertised United Parcel Service notifications serve malware

Wednesday, March 23, 2011

Spamvertised United Parcel Service notifications serve malware

A currently ongoing spam campaign is impersonating UPS for malware-serving purposes.

Sample subject: United Parcel Service notification
Sample attachments: UPSnotify.rar; UPSnotify.exe; UnitedParcelServicedocument.exe
Sample message: Dear customer.

The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc.

Detection rates:

UnitedParcelServicedocument.exe - Mal/Bredo-K - Result: 7/ 41 (17.1%)
MD5   : b60e95b42106989bc39e175efcc031db
SHA1 : 0fb63dff83db643c9ee42efe617bdd539a5ffb8f
SHA256: 65f14438c3154a74767131a427fbdc50c28a6cbcdcf47f3d418b92c4c168696a

UPS notify.exe - Mal/Bredo-K - Result: 17/ 40 (42.5%)
MD5   : cc040e69121bc19f23ef4a32dbb8a80e
SHA1 : da65b7b277540b88918076949a28e8307ad7e41a
SHA256: ef5f76e1b20c2083469fbe7e4de4ec9c06689ee105274b1a79c9cadbd23d54ae

Upon execution downloads additional binaries from:
193.105.121.33/lol2.exe
193.105.121.33/pod.exe
193.105.121.33/spm.exe

Responding to 193.105.121.33 are undeardarling.com - Email: admin@undearhappydear.com and undearhappydear.com - Email: admin@undearhappydear.com

Detection rates:
lol2.exe - Trojan.FakeAV!gen39- Result: 14/ 43 (32.6%)
MD5   : 747431a2a4a29f1bfc136e674af99ad0
SHA1 : 8349fc3f5f299d0ca6473e748276ec2b50019330
SHA256: 6009e7f5cbc55e6acb060d9fb33a39a978168a32a0a8c6a24f201106056cc0db

pod.exe - Backdoor.Win32.Gbot!IK - Result: 33/ 42 (78.6%)
MD5   : f403afdbe4c4c859c8ab018a7ded694c
SHA1 : 1915a46cbb43fcaf8da90af95856d7524b24f129
SHA256: eddfff99df316669191be0b61a5ae06ee811bbd27110111e69cbd212881fa494

Upon execution phones back to:
healthylifenow.com - 208.109.223.193 - Email: HEALTHYLIFENOW.COM@domainsbyproxy.com
bigbeerclubonline.com - Email: contact@privacyprotect.org
zonetf.com - 96.9.169.85 - Email: janeob@126.com

spm.exe - W32.Pilleuz - 10/ 42 (23.8%)
MD5   : de55498b9f9195f1733df62c7026cf5f
SHA1 : 5520c1220cdd03a64f9b782c2393697ebab154b9
SHA256: dc2a797e5be968f9d36d4510988fa242c042a3e315fb50a3f9325cae6a1d779d

Upon execution phones back to:
ponel.biz - 46.4.62.17 - Email: web_raskrutka@pochta.ru
itisformebaby.biz - 46.4.10.7; 88.198.46.151; 178.63.63.208 - Email: web_raskrutka@pochta.ru
gmail.com
yahoo.com
hotmail.com

As speculated, cybercriminals have started feeding legitimate sites into their C&C communication patterns in an attempt to undermine community efforts aimed at tracking their malicious activities.

Related posts:
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Wednesday, March 23, 2011

Spamvertised United Parcel Service notifications serve malware

No comments:

Post a Comment