Sponsored by..

Showing posts with label FedEx. Show all posts
Showing posts with label FedEx. Show all posts

Tuesday 2 August 2016

Malware spam: "Unable to deliver your item, #000179376" / "FedEx International Ground" leads to ransomware

This fake FedEx email has a malicious attachment.

From:    FedEx International Ground [terry.mcnamara@luxmap.com]
Date:    2 August 2016 at 18:53
Subject:    [REDACTED], Unable to deliver your item, #000179376

Dear [Redacted],

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thanks and best regards,
Terry Mcnamara,
Support Manager.
Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:

opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com


Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:

195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)


A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).

The payload seems to be Nemucod / Crypted or some related ransomware.

Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32



Tuesday 8 March 2016

Malware spam: "Samson Floyd agent Fedex" / "FeDex-service"

This fake FedEx spam has a malicious attachment:

From:    FeDex-service
Date:    8 March 2016 at 11:40
Subject:    Samson Floyd agent Fedex

Dear [redacted],
We attempted to deliver your item on March 07th, 2016, 11:40 AM.
The delivery attempt failed because the address was business closed or
nobody could sign for it. To pick up the parcel,please, print the receipt
that is attached to this email and visit Fedex office indicated in the
invoice. If the package is not picked up within 48 hours, it will be returned
to the shipper.

Label: US45928402845
Expected Delivery Date: March 07th, 2016
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent

Thank you for choosing our service

Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js which is rather curious [pastebin]. This attempts to download an executable from:

www.fotoleonia.it/files/sample.exe

This has a VirusTotal detection rate of 4/54. The Malwr report shows a subsequent download from:

www.claudiocalaprice.com/modules/fedex/pad.exe

This has similar detections to the first binary.  That Malwr report also indicates the binary POSTing data to:

pdf.repack.bike/new_and/state.php

This is hosted on:

151.80.76.200 (Kitdos, US / OVH, France)

I would suggest that the entire 151.80.76.200/29 range is questionable and should be blocked.

None of the automated tools I ran [1] [2] [3] [4] gave any insight as to what the malware does, but it is clearly something malicious.


Thursday 5 February 2015

Malware spam: "Unable to deliver your item, #000022074" / "FedEx 2Day A.M"

This fake FedEx spam has a malicious script attached.

From:    FedEx 2Day A.M.
Date:    5 February 2015 at 15:01
Subject:    PETRO, Unable to deliver your item, #0000220741

FedEx ®
Dear Petro,

We could not deliver your item.
You can review complete details of your order in the find attached.

Yours sincerely,
Marion Bacon,
Delivery Manager.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.
Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated [pastebin] but it is a bit clearer when deobfuscated [pastebin]. This script has a moderate detection rate of 9/56, and downloads a file from:
http://freesmsmantra.com/document.php?id=5451565E140110160B0824140110160B08000D160107104A070B09&rnd=3252631
Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56. Automated analysis tools [1] [2] [3] don't give much of a clue as it has been hardened against analysis.

UPDATE: This tweet gives a bit more insight into the malware..
The malware dropped seems to be Boaxxe/miuref: ET TROJAN Miuref/Boaxxe Checkin {TCP} -> 91.231.87.90:80
So, I would definitely recommend blocking 91.231.87.90 and also the domain coldserv24.com which is hosted on that server and may be malicious.


xxx

Wednesday 12 February 2014

"Track shipments/FedEx" spam

This fake FedEx spam leads to malware:

Date:      Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
From:      FedEx [yama@rickyz.jp]
Subject:      Track shipments/FedEx 7487214609167750150131 results: Delivered

Track shipments/FedEx Office orders summary results:
-----------------------------------------------------------------------
Tracking number        Status              Date/Time
7487214609167750150131  Delivered           Feb 11, 2014     
                                           11:20 AM     

Track shipments/FedEx Office orders detailed results:
-----------------------------------------------------------------------
Tracking number       7487214609167750150131

Reference             304562545939440100902500000000
Ship date             Feb 03, 2014
Ship From           NEW YORK, NY
Delivery date         Feb 11, 2014 11:20 AM
Service type          FedEx SmartPost

Tracking results as of Feb 11, 2014 3:37 PM CST


Click Here and get Travel History
-----------------------------------------------------------------------


Disclaimer
-----------------------------------------------------------------------

FedEx has not validated the authenticity of any email address.

In this case, the link in the email goes to [donotclick]pceninternet.net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip.


In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe
which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49, but automated analysis tools are inconclusive as to its payload [1] [2] [3].




Tuesday 17 September 2013

FedEx spam FAIL

This fake FedEx spam is presumably meant to have a malicious payload:

Date:      Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From:      webteam@virginmedia.com
Subject:      Your Rewards Order Has Shipped
Headers:      Show All Headers           
                   
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.            
                   
You can review complete details of your order on the Order History page            
                   
Thanks for choosing FedEx.            
                       
Order Confirmation Number: 0410493
Order Date: 09/15/2013            
                       
Redemption Item     Quantity     Tracking Number            
Paper, Document    16    <          

fedex.com     Follow FedEx:        
                                   
You may receive separate e-mails with tracking information for reward ordered.    

My FedEx Rewards may be modified or terminated at any time without notice. Rewards points available for qualifying purchases and certain exclusions apply. For details and a complete listing of eligible products and services please read My FedEx Rewards Terms and Conditions .    

©2012 FedEx. The content of this message is protected by copyright and trademark laws under U.S. and international law. Review our privacy policy . All rights reserved



Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care.

Wednesday 12 June 2013

Fedex spam / oxfordxtg.net

This fake FedEx spam leads to malware on oxfordxtg.net:

Date:      Thu, 13 Jun 2013 01:18:09 +0800 [13:18:09 EDT]
From:      FedEx [wringsn052@emc.fedex.com]
Subject:      Your Fedex invoice is ready to be paid now.

FedEx(R)     FedEx Billing Online - Ready for Payment

        fedex.com        
       
Hello [redacted]
You have a new outstanding invoice(s) from FedEx that is ready for payment.

The following ivoice(s) are to be paid now :

Invoice Number
 5135-13792

To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo

Thank you,
Revenue Services
FedEx


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

The link in the email goes through a legitimate hacked site and ends up on a malware payload page at [donotclick]oxfordxtg.net/news/absence_modern-doe_byte.php (report here) hosted on:

124.42.68.12 (Langfang University, China)
190.93.23.10 (Greendot, Trinidad and Tobago)

The following partial blocklist covers these two IPs, but I recommend you also apply this larger blocklist of related sites as well.
124.42.68.12
190.93.23.10
biati.net
condalinneuwu5.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
jetaqua.com
klosotro9.net
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oxfordxtg.net
oydahrenlitutskazata.ru
pnpnews.net
smartsecurityapp2013.com
trleaart.net
twintrade.net
usforclosedhomes.net


Friday 25 January 2013

FedEx spam / vespaboise.net

This fake FedEx spam leads to malware on vespaboise.net:


Date:      Fri, 25 Jan 2013 15:39:33 +0200
From:      services@fedex.com
Subject:      FedEx Billing - Bill Prepared to be Paid

    FedEx Billing - Bill Prepared to be Paid
        fedex.com        
       
[redacted]

You have a new invoice(s) from FedEx that is prepared for discharge.

The following invoice(s) are ready for your overview:

Invoice Number
   
Invoice Amount
2-649-22849
   
49.81
1-181-19580
   
257.40

To pay or overview these invoices, please log in to your FedEx Billing Online account proceeding this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo


Thank you,

Revenue Services

FedEx

Please Not try to reply to this message. auto informer system cannot accept incoming mail.

The content of this message is protected by copyright and trademark laws under U.S. and international law.

review our privacy policy . All rights reserved.

The malicious payload is at [donotclick]vespaboise.net/detects/invoice_overview.php which is on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which has been used in several recent attacks.. blocking it would be prudent.

Friday 7 September 2012

FedEx spam / dushare.net and gsigallery.net

Two fake FedEx campaigns today, with a format similar to the one found here but with different payload sites of dushare.net and gsigallery.net

In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.

The following domains are on the same server and should also be treated as being suspect.

padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net

FedEx spam / studiomonahan.net

This somewhat mangled looking fake FedEx spam leads to malware on studiomonahan.net:


Date:      Thu, 6 Sep 2012 11:00:28 -0600
From:      BillingOnline@fedex.com
Subject:      Your Fedex invoice is ready to be paid now.

       
    FedEx Billing Online - Ready for Payment

        fedex.com        
       

<td wid="th="10"" rowspan="2">

Hello [redacted]
You have a new not paid bill from FedEx that is ready for payment.

The following ivoice(s) are ready for your review :

<table border-top="1px solid #000" solid="" #000"="" border-left="1px solid #ccc" border="-bottom="1px" height="55" width="473">
<td= class="resultstableheader">
Invoice Number
7215-17193


To pay or review these invoices, please sign in to your FedEx Billing Online account by clicking on this link: http://www.fedex.com/us/account/fbo

Note: Please do not use this email to submit payment. This email may not be used as a remittance notice. To pay your invoices, please visit FedEx Billing Online, http://www.fedex.com/us/account/fbo


Thank you,
Revenue Services
FedEx


   


    This message has been sent by an auto responder system. Please do not reply to this message.

The content of this message is protected by copyright and trademark laws under U.S. and international law.
Review our privacy policy. All rights reserved.

Subjects spotted so far include:

Pay your Fedex invoice online.
Your Fedex invoice is ready to be paid now.
Please pay your outstanding Fedex invoice.
Your Fedex invoice is ready.


The malicious payload is found at [donotclick]studiomonahan.net/main.php?page=2bfd5695763b6536 (report here) hosted on 206.253.164.43 (Hostigation, US). The server contains the following suspect domains which should also be blocked:

fireinthesgae.pl
joncarterlope.pl
storuofginezi.com
usagetorrenen.com
dinitrolkalor.com
comercicalinz.com
studiomonahan.net
globusbusworld.su
jordanpowelove.su
appropriatenew.su
cdfilmcounderw.su
studiomonahan.net

Monday 16 April 2012

"FedEx Delivery Confirmation 821630" spam / pokeronmep.ru

This spam leads to malware on pokeronmep.ru.

Date:      Mon, 16 Apr 2012 18:26:48 +0900
From:      "Fed Ex SUPPORT 36" [support.391@fedex.com]
Subject:      FedEx Delivery Confirmation 821630
Attachments:     Collect_Letter.htm

ATTENTION!

DEAR USER , Delivery Confirmation: FAILED

PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER (Open with Internet Explorer)

With Respect , Your Fed Ex Customer Services

The malicious payload is on pokeronmep.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on the same IP addresses as found in this attack. Blocking them would be worthwhile.