Tuesday, 26 March 2013

UPS spam / Label_8827712794.zip

This fake UPS spam has a malicious EXE-in-ZIP attachment:

Date:      Tue, 26 Mar 2013 20:54:54 +0600 [10:54:54 EDT]
From:      UPS Express Services [service-notification@ups.com]
Subject:      UPS - Your package is available for pickup ( Parcel 4HS287FD )

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

You may pickup the parcel at our post office.

Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
UPS Logistics Services.

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (UPS , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

The attachment Label_8827712794.zip contains a malicious binary called Label_8827712794.exe which has a VirusTotal score of just 6/46. ThreatExpert reports that the malware is a Pony downloader which tries to phone home to:
aseforum.ro (199.19.212.149 / Vexxhost, Canada)
23.localizetoday.com (192.81.131.18 / Linode, US)

Assuming that all domains on those are malicious, this is a partial blocklist:
192.81.131.18
199.19.212.149
aseforum.ro
htlounge.com
htlounge.net
topcancernews.com
23.localizetoday.com
23.localizedonline.com
23.localizedonline.net

No comments: