Over the past couple of days, cybercriminals have launched two consecutive malware campaigns impersonating DHL in an attempt to trick users into thinking that they’ve received a parcel delivery notification. The first campaign comes with a malicious attachment, whereas in the second, the actual malicious archive is located on a compromised domain.
More details:
Sample screenshot of the the first spamvertised template:
Sample screenshot of the second spamvertised template:
Detection rate for the malicious executable:
MD5: 85f908a5bd0ada2d72d138e038aecc7d – detected by 12 out of 45 antivirus scanners as Backdoor.Win32.Androm.pta.
Once executed, it phones back to hxxp://seantit.ru/new/gate.php (67.174.162.23; 113.161.74.243; 5.175.142.32; 5.175.143.42; 202.180.52.3) and also downloads hxxp://seantit.ru/ya.exe (202.180.52.3) MD5: be52e7e38b9b467c51972cc841e7e487 – detected by 23 out of 46 antivirus scanners as Trojan:Win32/FakeSysdef.
Responding to the same IP are also the following domains part of the campaign’s infrastructure:
independinsy.net
confideracia.ru
gatoversignie.ru
programcam.ru
condalinaradushko.ru
seantit.ru (Name server: ns1.secrettappes.com – 209.140.18.37 – Email: calnroam2@yahoo.com; Name server: ns1.insectiore.net – 209.140.18.37 – Email: conaninfo@rocketmail.com) is also known to have responded to the following IPs:
5.175.142.32
5.175.143.42
66.230.163.135
67.174.162.23
86.95.203.184
94.249.206.117
108.174.197.91
111.118.185.166
186.115.144.123
202.180.52.3
206.174.122.15
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
