Sponsored by..

Thursday, 6 February 2014

Fake "TNT UK Limited " spam with zero detections


This fake TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.

Date:      Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 798950432737

Your package have been picked up and is ready for dispatch.

Connote #    :    798950432737
Service Type    :    Export Non Documents - Intl
Shipped on    :    05 Feb 14 00:00
Order No            :    2819122
Status            :       Driver's Return Description      :       Wrong Address
Service Options: You are required to select a service option below.

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: 798950432737

The options, together with their associated conditions
Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41.

Despite the zero detection rate, there is plenty of badness going on [1] [2] [3] [4] including downloads of an encrypted file from the following locations:

[donotclick]newz24x.com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme.com/images/banners/pdf.enc

The Malwr report indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x.com is hosted. Take care with these if you are thinking about blocking them.

Recommended blocklist:
182.18.151.160
newz24x.com
oilwellme.com

No comments: