Sponsored by..

Friday, 3 October 2014

"Thanks for shopping with us today!" malspam spreads via Dropbox

This spam email leads to malware hosted on Dropbox:

From:     pghaa@pghaa.org
To:     victim@victimdomain.com
Date:     3 October 2014 11:43
Subject:     victim@victimdomain.com

Thanks for shopping with us today! Your purchase will be processed shortly.

ORDER DETAILS

Purchase Number: CTV188614791
Purchase Date: 7:38 2-Oct-2014
Customer Email: victim@victimdomain.com

Amount: 4580 US Dollars

Open your payment details

Please click the link provided above to get more details about your order.
In this case the download location is https://www.dropbox.com/s/7n4ib0ysqnzr4un/Payment%20Details_52375.zip?dl=1 although it is likely that there are others.

The download file is Payment Details_52375.zip containing a malicious executable PAYMENT DETAILS.PDF  .scr_56453.exe which has a VirusTotal detection rate of 5/55.  At the moment, automated analysis tools [1] [2] [3] are inconclusive as to what it does.

UPDATE: it is also being distributed via
https://www.dropbox.com/s/9an3ggp98xu7ql5/Transaction_85523.zip?dl=1
https://www.dropbox.com/s/8uoheamseo98nse/Information_J90Z4.zip?dl=1 
https://www.dropbox.com/s/fvogsazezmv00hw/Transaction_G287O.zip?dl=1
https://www.dropbox.com/s/42b7binqmk8auu9/Payment_Details_A0869.zip?dl=1
https://www.dropbox.com/s/okag3y2qtg12vg7/Payment_Details_R435C.zip?dl=1

 

2 comments:

mp said...

This email in various forms using multiple subject lines has been observed since at least July. I would love to know what the malware is actually doing. It's also used copy.com in addition to dropbox.

Marco said...

We see various connections, in particular POST 5.63.155.195:8080/home.php