Sponsored by..

Wednesday 15 October 2014

"Shipping Information for.." spam uses a Google redirector and copy.com to distribute malware

This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

From:     fatmazohra.mekhalfia@groupehasnaoui.com
Date:     15 October 2014 15:09
Subject:     Shipping Information for [redacted]
      
Please see the shipping info
  
Processed on Oct 15/ 2014

This is to inform you that the package is being shipped to you. We also provided delivery terms to specified address.

Order number: 611541106
Order total: 3000.28 USD
Shipping date: Oct 16th 2014.


Please hit the button provided at the bottom to see more info about your package.

 Shipping Invoice

The link in the email goes to https://www.google.com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54.

The Malwr report indicates that the malware fails to install because of a bug in the code, a problem that also appears in all the other analysis tools that I tried.

What I think is meant to happen is that a malicious script [pastebin] that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it with the following command:
Gl.exe -pGlue1 -d%temp%
This executable has a VirusTotal detection rate of 2/53. It bombs out of automated analysis tools (see the Malwr report) possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.


If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been infected by the executable running in the background.

1 comment:

Unknown said...

We see it checking in at 5.63.155.195 and talking to various other hosts. Lots of browser password, email, FTP credentials stealing going on...