Date: Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41.
From: TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject: TNT UK Limited - Package tracking 798950432737
Your package have been picked up and is ready for dispatch.
Connote # : 798950432737
Service Type : Export Non Documents - Intl
Shipped on : 05 Feb 14 00:00
Order No : 2819122
Status : Driver's Return Description : Wrong Address
Service Options: You are required to select a service option below.
TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.
DETAILS OF PACKAGE
Reg order no: 798950432737
The options, together with their associated conditions
Despite the zero detection rate, there is plenty of badness going on [1] [2] [3] [4] including downloads of an encrypted file from the following locations:
[donotclick]newz24x.com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme.com/images/banners/pdf.enc
The Malwr report indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x.com is hosted. Take care with these if you are thinking about blocking them.
Recommended blocklist:
182.18.151.160
newz24x.com
oilwellme.com
No comments:
Post a Comment