Sponsored by..

Monday 23 November 2015

Malware spam: "UKMail 988271023 tracking information" / no-reply@ukmail.com

NOTE:  as of 22nd January 2016, a new version of this spam email is in circulation, described here.

This fake delivery email does not come from UKMail but is instead a simple forgery with a malicious attachment:

From:    no-reply@ukmail.com
Date:    23 November 2015 at 11:06
Subject:    UKMail 988271023 tracking information

UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.

Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
Where the law prevents such exclusion and implies conditions and warranties into this contract,
where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.

Best regards,
UKMail

The attachment is named 988271023-PRCL.doc and so far I have come across three different versions of this (VirusTotal results [1] [2] [3]), containing a malicious macro like this [pastebin] which according to these Hybrid Analysis reports [4] [5] [6] downloads a malware binary from the following locations:

www.capodorlandoweb.it/u654g/76j5h4g.exe
xsnoiseccs.bigpondhosting.com/u654g/76j5h4g.exe
cr9090worldrecord.wz.cz/u654g/76j5h4g.exe


This binary has a VirusTotal detection rate of 5/54. That VirusTotal report plus this Hybrid Analysis report and Malwr report indicate malicious traffic to the following IPs:

157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
89.108.71.148 (Agava Ltd, Russia)
91.212.89.239 (UZINFOCOM, Uzbekistan)
89.189.174.19 (Sibirskie Seti, Russia)
122.151.73.216 (M2 Telecommunications, Australia)
37.128.132.96 (Memset Ltd, UK)
195.187.111.11 (SGGW, Poland)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
77.221.140.99 (Infobox.ru, Russia)
195.251.145.79 (University Of The Aegean, Greece)


The payload is likely to be the Dridex banking trojan.

MD5s:
37f025e70ee90e40589e7a3fd763817c
3e25ba0c709f1b9e399e228d302dd732
e6f1003e4572691493ab1845cb983417
5b6c01ea40acfb7dff4337710cf0a56c

Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79

17 comments:

Unknown said...

I have received the exact same email today. Not opened it of course because I know what I have ordered and when I have ordered and who I have ordered from.

Going on to the genuine UKMAIL.COM website just out of curiosity double confirms that it is spam.

AS ALWAYS, IF YOU DON'T EXPECT ANY DELIVERIES, THEN MORE THAN LIKELY YOU'RE NOT GETTING ANYTHING OTHER THAN A HEADACHE IF YOU CLICK OR DOWNLOAD ANYTHING FROM THAT EMAIL.

gg said...

I also have received the same email today and fortunately it was in my Junk box otherwise I would have probably opened it as i am waiting on a couple of deliverys its so easily done....

I was lucky this time..gg

Unknown said...

We got this today posting as a spoofed HR@.com email. With a trojan XLS included. Some weak obfuscation techniques to obscure it from automated scanners. Looks like it's been passed around from the comments (yes, there are comments included in the macro...).


It connects to the urls noted above, scans the system for drives, including mapped shares, and then downloads TrueCrypt from their website to execute the encryption.

Unknown said...

sorry, that was supposed to be: "HR@insert company here.com"

Unknown said...

i opened it online and nothing came up, stupid i know, i tried to download it and it just said it wont download it as it has a virus. does this mean my computer is now infected or is it okay?

Unknown said...

All of your documents would be gibberish if you had been infected. I think it's safe to say you're probably okay.

Unknown said...

Ah okay, thank you!

Sam Sharp said...

Oh dear! I stupidly downloaded and opened this twice just now. What should I do to protect my computer? Appreciate any advice. Thank you!

Kumar said...

I have received the same email today. I have opened the attachment in iphone6 . Is iphone affected?

Sam Sharp said...

Would Sophos software detect this. Do I actually need to do anything? I use a Mac.

Sam Sharp said...

And are all the passwords saved on Safari safe or should I change them all? I dont think I clicked to enable anything.. the xls file looked empty... but I am not sure if I was looking at it in a protected version.

Conrad Longmore said...

This downloads a Windows executable, so Macs and smartphones will not be impacted.

John Sommer said...

Got the same mail just now. Did not open the attachment. Will post this on my FB profile to prevent my friends from opening this mail. /John

brk said...

Unfortunately, I opened it today thinking that it is associated with the mail I am expecting. My pc is windows. I scanned it with the esed online scanner. It has found some stuff called like `potential unwanted document` and deleted them. Then I scanned it again it found the same type of threats but with less number. I changed my passwords but I cant stop myself thinking about it. Any suggestions???

Unknown said...

I´m from Germany. Got see the same mail rightnow and wondered why got Mail from UK. So fortunaly i dont open it. Should i change password?

Unknown said...
This comment has been removed by the author.
eve said...

Today I received the same e-mail with attachment. I have not opened.
I live in the Netherlands and have a Ziggo account.