Cybercriminals are currently spamvertising millions of emails impersonating the United States Postal Service (USPS), in an attempt to trick end and corporate users into downloading and unpacking the malicious .zip attachment distributed by them.
What’s so special about this campaign? Where is the malicious sample phoning back to? Are there more malware samples that also phoned back to the same command control servers in the past? Let’s find out.
More details:
Screenshot of the spamvertised email:
The email contains the following attachment – Label_Details_USPS_Tracking_ID_RANDOM_NUMBER.zip. Once the user unpacks the archive, a malicious binary and a directory containing random strings and empty files will be extracted.
Sample directory created during the extraction process:
The malicious attachment with MD5: 004bc29fb8526239c6b874d117b11d91 is detected by 30 out of 41 antivirus scanners as Trojan-Dropper.Win32.Dapato.bmjq.
Upon execution the sample phones to the following URLs:
hxxp://bing.com/afyu/index.php?r=gate&gh=00cd1a40&group=1607spm&debug=0
hxxp://twitter.com/nygul/index.php?r=gate&ac=00cd1a40&group=1607spm&debug=0
hxxp://palmerlevelll1931.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0 – 89.144.57.123
hxxp://bbc.com/efwgh/index.php?r=gate&cc=00cd1a40&group=1607spm&debug=0
hxxp://london-of10.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0
hxxp://fb.com/dwrgh/index.php?r=gate&fg=00cd1a40&group=1607spm&debug=0
hxxp://chelseaof.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0 – 213.152.180.178
hxxp://robinbobin20.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0
hxxp://eetoko21.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0
hxxp://casioworld2012.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0
Responding to 89.144.57.123 are also the following domains and name servers:
ns1.london-of10.ru
ns2.london-of10.ru
london-of10.ru
ns1.chelseaof.ru
ns1.palmerlevelll1931.ru
ns2.palmerlevelll1931.ru
palmerlevelll1931.ru
Responding to 213.152.180.178 are the following domains and name servers:
ns1.ofalaskas14.ru
ns1.beaufortseaa139.ru
infopepsigoood.ru
ns1.amandalikeguarana.ru
ns1.coocislands2012.ru
krasguatanany.ru
myprotop2012a.ru
ns1.myprotop2012a.ru
ns1.quebecstreet2412.ru
ns1.chelseaof.ru
ns2.chelseaof.ru
chelseaof.ru
As you can see, the botnet masters have also included legitimate domains in an attempt to trick reputation filters into thinking that the malware-infected hosts is phoning back to trusted and malware-free domains such as Bing and Twitter. However, we can easily identify the malicious command and control domains based on their historical reputation. In this case, more malware samples are known to have phoned back to the same C&Cs.
MD5s phoning back to the same C&Cs:
MD5: c3918b5667a7a3bea2959039047fdfaf
MD5: 004bc29fb8526239c6b874d117b11d91
MD5: 9116386E4228661149012CA16B300D88
MD5: BD6B50EFDBFB5DC08703C8AE82AA6B95
MD5: 500E7334036546C02C5B2DDB03E27193
MD5: BFFA51DD9A204369E45361A462B212D3
MD5: 58CE52A7ACF7BC23803EC42FE03D00DB
MD5: DC7F2B047E77685BE17B068391BF5A50
MD5: C4E022090897A7CA19DE0937E1A8BC81
MD5: 74677ACA6D56D9E6B9508A9AE646816F
MD5: 82AB6B0F4F1158D8DEA1171FFA122FD3
MD5: 126AC8EDCCC57FB5B1501FB54BDB5CCF
MD5: CF1D2BB105EBCCDC289C9218B2BFB265
MD5: 2C3994C26DFEC1F72F4715AC7E4A2F27
MD5: 29C5C1A3B66D71AB29D08858191CEBD2
MD5: 223B14A2357F24EDAB719997A92823FE
MD5: E4F2189279831511557CF9A76D05F132
MD5: 4EF4E4D256A4552368C804A441052C32
MD5: BC05D01488E7DF64C229611FD482F834
MD5: B228D991BE856CE0D9913274389BDCBF
MD5: C59A0A7FFBDCDA3017E292E91931ADA6
MD5: 7866291F8E869715E11227D238C491AD
MD5: 5ED40C5D2BF889D09E4783F6AD31A9DF
MD5: 7871798A76291839D9FB8739E5F1594F
MD5: AB4329B2BDB9A3EF296D28097FF9220E
In case of a successful connection attempt, the dropper will download MD5: 4CD695410D4295BAC4C11222630CCB5E which then attempts to download more malware from the following C&C domains:
hxxp://112.121.178.189/api/urls/?ts=429a7200&affid=41100
hxxp://declapeoplestates.cu.cc/f/notepad.exe?ts=429a7200&affid=41100
It also creates MD5: F59BC3B180D193AE885839FF27A6E7C1; MD5: 72F956A478CA8E663855FE3859C58B9A and MD5: 5559D70188E0B0DCB317FCACC7EA490E on the infected hosts.
More MD5s are known to have phoned back to the same command and control servers:
MD5: D178C399211D8752FB8616F43C8998C6
MD5: 46B55D50D6002E4A988995683774C050
MD5: FD39D3B0E3C0DBAAECECDCEEB7CA9DE5
MD5: 9116386E4228661149012CA16B300D88
MD5: 3A30014259BF7225073DD6C31582C1EE
MD5: 2FC0D3733EDA39441561B399F4901A38
MD5: 8E9BB11D0B926872238E82C3571326ED
MD5: 80EC77BEEAFD1B85A62535D56A183894
MD5: FD912FA475DD7B1B82D5A2A8B22F095C
MD5: 4CD695410D4295BAC4C11222630CCB5E
MD5: BFED761761AE710ABC94F1EA4039527D
The last time we intercepted a malware-serving USPS themed spam campaign, was in March, 2012. Due to the popularity of the brand, we predict that cybercriminals will continue abusing it.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.