At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC.
This time they didn’t try impersonating USPS, UPS or DHL, but FedEx.
More details:
Sample screenshot of the spamvertised email:
Second screenshot of a sample spamvertised email, again, part of the same campaign:
Third screenshot of a sample spamvertised email used in the campaign:
Sample spamvertised compromised URLs participating in the campaign:
hxxp://www.daikychi.de/LTDVVFONLS.html
hxxp://www.brunobassettocarni.it/ZBQJPKZVFG.html
hxxp://panexpress.es/BFLYQUDUJI.html
hxxp://milrecados.com/SWVOXIGJEV.html
hxxp://watertaxis.mobi/APQTJNWNPV.html
hxxp://dhacdooyinka.com/WERGLIHRLG.html
hxxp://cantoncityutah.com/OXSJOVVYOE.html
hxxp://www.supporttechnologies.co.in/RNNDHDKSZT.html
hxxp://affiliate-erfolg.de/KQEZOOWAYE.html
hxxp://moebel-bergen.de/TGBSSWXALL.html
hxxp://thebusinessplus.com/MUTBQJADRE.html
hxxp://btv-bosseln.de/EJWFBEEBWI.html
hxxp://howardwindfarm.com/SYMUADLPDU.html
hxxp://atimbershop.com/GULSHSFCHM.html
hxxp://reenhaneck.narod.ru/RAPNCDDKMX.html
hxxp://mylauren.com/CCOSGTLVTA.html
Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 – detected by 35 out of 46 antivirus scanners as Trojan.Win32.Buzus.mruv
Upon execution, it phones back to the following URLs:
hxxp://91.121.90.80:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D541
hxxp://84.40.69.119:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D541
hxxp://211.172.112.7:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D54
Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa – detected by 37 out of 46 antivirus scanners as Trojan-Dropper.Win32.Dapato.bxhg
Upon execution, it phones back to the following URLs:
hxxp://59.25.189.234:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D54
1
hxxp://140.135.66.217:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
hxxp://82.113.204.228:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
hxxp://59.126.131.132:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
None of these IPs currently respond to any specific domains, besides 59.126.131.132.
songwriter.tw is currently responding to 59.126.131.132 – Email: songwriter.tw@gmail.com
Record expires on 2019-06-12 (YYYY-MM-DD)
Record created on 2009-06-12 (YYYY-MM-DD)
The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.
Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 – detected by 25 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
We’ll continue monitoring the developments of the campaign, and post updates as soon as new campaigns are launched.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Hello i have another of their fake forms here
http://img43.imageshack.us/img43/5227/beznzvuglq.jpg
When you are so gullable that you click on the PRINT RECEIPT, it will take you in this case to a page
http://www.adrenalinjazzgarden.com/components/.t5onnq.php?receipt=843_636013586
and anybody in their clear mind must know, this isn’t an Fed_Ex page.
Received a really poorly thought out version of this today. Mine didn’t even look legit; it was a poorly constructed table with a bright yellow background.