Wednesday, March 16, 2011

Spamvertised FedEx Notifications Spread Malware

A currently ongoing spamvertised campaign is brand-jacking FedEx for malware serving purposes.

Sample attachments: FedEx letter.zip; FedEx letter.exe
Sample subject: FedEx notification #random number
Sample message: Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below.

Thank you.
© FedEx 1995-2011


Detection rate: FedEx letter.exe - Trojan.FakeAV - Result: 24/ 43 (55.8%)
MD5   : 90bef5dff5809682249813fd63b67da4
SHA1  : 2418c01a30a19a2d76b693474a852092e3de4a32
SHA256: a38848786528d235b51fed3adf20050f5c1906d066e0282311b8bce37d8163a0

Phones back to AS30890 (EVOLVA Evolva Telecom s.r.l.)
94.63.244.56/lol2.exe
94.63.244.56/pod.exe


with 94.63.244.56/allftp.txt; 94.63.244.56/ftp/db_grab.txt hosting the sniffed FTP credentials.

Responding to 94.63.244.56 are d34ghqarfrgad.com and erherg34gsafwe.com, phone back URLs which we've seen from last week's spamvertised DHL Notifications campaigns, with the use of the IP best described as a desperate attempt to maintain a C&C infrastructure:
This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment