Sponsored by..

Monday 26 August 2013

UPS Spam / UPS Invoice 74458652.zip

This fake UPS invoice has a malicious attachment:

From:      "UPSBillingCenter@ups.com" [UPSBillingCenter@ups.com]
Subject:      Your UPS Invoice is Ready


New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click.
Attached is a file UPS Invoice 74458652 which in turn contains a file called UPS Invoice {DIGIT[8]}.exe  which presumably isn't meant to be named like that..

The VirusTotal detection rate is a so-so 18/46. The Malwr analysis is that this is a trojan downloader that attempts to download bad things from the following locations:
[donotclick]gordonpoint.org/forum/viewtopic.php
[donotclick]mierukaproject.jp/PjSE.exe
[donotclick]programcommunications.com/WZP3mMPV.exe
[donotclick]fclww.com/QdytJso0.exe
[donotclick]www.lajen.cz/tPT8oZTB.exe

The VirusTotal detection rate for the downloaded file is not great at just 9/46.

The domain gordonpoint.org is a hijacked GoDaddy domain on 74.207.229.45 (Linode, US) along with several other hijacked domains which are listed below in italics.

Recommended blocklist:
74.207.229.45
gordonpoint.org
hitechcreature.com
industryseeds.ca
infocreature.com
itanimal.com
itanimals.com
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com

mierukaproject.jp
programcommunications.com
fclww.com
www.lajen.cz

No comments: