Sponsored by..

Thursday 21 September 2017

Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment:

Subject:       Invoice RE-2017-09-21-00794
From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk]
Date:       Thu, September 21, 2017 9:21 am
Priority:       Normal

------------- Begin message -------------

Dear customer,

We want to use this opportunity to first say "Thank you very much for your purchase!"

Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace



------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we
retain all messages buyers and sellers send through Amazon.co.uk. This includes your
response to the message below. For your protection we recommend that you only
communicate with buyers and sellers using this method.

Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid
for through our Amazon Payments system via our Shopping Cart or 1-Click. Our
Guarantee does not cover any payments that occur off Amazon.co.uk including wire
transfers, money orders, cash, check, or off-site credit card transactions.

We want you to buy with confidence whenever you purchase products on Amazon.co.uk.
Learn more about Safe Online Shopping
(http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe
buying guarantee

Attached is a .7z archive file with a name that matches the one quoted in the subject line. So far I have seen just two versions of this, each containing a malicious script (sample here and here). These scripts have a detection rate of about 13/58 and they can been seen attempted to download a component from:


An executable is dropped (Locky ransomware) with a detection rate of 18/64. Although Hybrid Analysis [1] [2] clearly shows the ransomware, no C2s are currently available (it turns out there aren't any).

UPDATE - additional download locations:


naszfranio said...

SPF test on the email gateway will block these no bother.


Time: 21/09/2017 10:04:33 GMT+0100 GMT Daylight Time
Sender Email: ZYvSEQFNDqZUNSJ@marketplace.amazon.co.uk
Recipient Email: [EDITED]
Related IP:
Action: Rejected
Email Subject: (not available)

Blacklisted by the SPF Test (sender forged per policy of "marketplace.amazon.co.uk", SPF result: "softfail").


naszfranio said...

In the last hour 1 has 100 attempts like that - all to majority to valid email addresses and all coming from different IPs.

Conrad Longmore said...

@naszfranio This will be the Necurs botnet. IPs will be all over the place.

Yes, checking SPF records should block it. Also, blocking .7z files would probably not cause much a problem, these are commonly used for Locky right at the moment.

Jan said...

The SPF softfail mechanism (in my experience by far the most widely used SPF configuration) does not actually assert a failing message is a spoof.

The specification reads:

8.5. Softfail

A "softfail" result ought to be treated as somewhere between "fail"
and "neutral"/"none". The ADMD believes the host is not authorized
but is not willing to make a strong policy statement. Receiving
software SHOULD NOT reject the message based solely on this result,
but MAY subject the message to closer scrutiny than normal.

If you pass an SPF check with the hardfail or softfail mechanism - you are considered a legitimate sender
if you fail an SPF check with the softfail mechanism - you might be a legitimate sender
if you fail an SPF check with the hardfail mechanism - you are not a legitimate sender

It would be better for companies like Amazon to use the hardfail mechanism for this reason to protect their brand as the softfail mechanism does not adequately do so.