From: Secure-FeDexIn this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a malicious script FedEx_track_98404283928.js which (according to Malwr) attempts to download a binary from one of the following locations:
Date: 8 June 2016 at 18:17
Subject: David Bernard agent Fedex
Deаr [redacted] ,
We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.Receipt Number: 98402839289
Eхpесted Delivеrу Dаte: June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу Cоnfirmation
Status: Notifiсatiоn sentThank you for choosing our service© FedEх 1995-2016
www.brusasport.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.microsoft.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.mega.net/Brusa/vario/direct/teamviiverupdate2918372.exe
www.google.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.yahoo.com/Brusa/vario/direct/teamviiverupdate2918372.exe
Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56 but automated analysis [1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:
secure.adnxs.metalsystems.it
upfd.pilenga.co.uk
These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 188.165.157.176:
organisation: ORG-NQ1-RIPE
org-name: Kitdos NOC
org-type: OTHER
address: UNKNOW
address: UNKNOW UNKNOW
address: US
e-mail: kitdos.com@gmail.com
abuse-mailbox: kitdos.com@gmail.com
phone: +33.188866688
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
created: 2016-02-04T03:22:05Z
last-modified: 2016-02-23T13:14:14Z
source: RIPE
Other hijacked subdomains on the same IP are:
tgr.tecnoagenzia.eu
bmp.pilenga.co.uk
maps.pilenga.co.uk
sundication.twitter.luigilatruffa.com
tit.pilenga.net
trw.pilenga.net
ocsp.pilenga.net
plda.pilenga.net
maps.pilenga.mobi
plda.pilenga.mobi
This Tweet from @pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month.
Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy.
As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.
Recommended blocklist:
188.165.157.176/30