Sponsored by..

Wednesday, 11 September 2013

USPS spam / Label_FOHWXR30ZZ0LNB1.zip

This fake USPS spam has a malicious attachment:

Date:      Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery
Priority:      High Priority 1 (High)

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47. Automated analysis [1] [2] [3] shows an attempted connection to a hijacked domain drippingstrawberry.com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection

URLquery shows the following domains are distributing malware on that server:
cardiffpower.com
celebrategoodtimes.com
drippingstrawberry.com

thisisyourwife.co.uk

For the record, the following domains appear to be on that server. They all look legitimate, but some others may be hijacked (and others may not be). Do with this list what you will:
4-access.com
ashburnes.com
bevan-holdings.com
bevanholdings.com
biffberry.com
camelotdevelopments.com
cardiffpower.com
carterlaurenconstruction.com
celebrategoodtimes.com
churchgatetrading.com
ciderbrokers.com
creativehomeworker.com
dcmsservices.com
deserve.org.uk
dignifiedcelebrations.com
doaus.com
drippingstrawberry.com
eflengineering.com
fruityblue.com
goldhaven.co.uk
gwentpressurewashers.co.uk
gwentpressurewashers.com
gympiper.info
haveyougotone.com
ivelostmymarbles.com
janglesmacrame.com
joannehawkins.com
justnoodles.co.uk
kinggems.com
kingmarbles.com
kwaggle.com
leightongriffiths.com
leisuremaintenanceltd.com
lmpropertyinvestments.com
macaraya.com
manorbrick.com
manorbrickyards.co.uk
marbledelights.com
marbleicious.com
motorhomeparadise.com
mykidbrother.com
mypersonalname.co.uk
mywebsitegroup.com
newportairport.co.uk
pnoa.co.uk
properteye.com
rockthecasbah.eu
rpduk.com
squaremileinsurance.com
steveperrott.com
talonstamed.com
thedrippingstrawberry.com
theitalianjob.mobi
thisisyourwife.co.uk
zestimports.com

UPDATE
This is an alternative version with the same payload: 
Date:      Wed, 11 Sep 2013 14:54:14 -0600 [16:54:14 EDT]
From:      Xerox WorkCentre
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: spamcop.net
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: 07PR24RHFD

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Attachment is Scan_883_00286191_7159.zip which expands to scanned_doc_091113.exe

No comments: