This fake FedEx (or FeDex?) spam has a malicious attachment:
From: Secure-FeDex
Date: 8 June 2016 at 18:17
Subject: David Bernard agent Fedex
Deаr [redacted] ,
We tried tо delivеr уour
item on June 08th, 2016, 10:45 АM.
The
delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould
sign fоr it.
Тo piсk up the package, please, рrint the
receipt that is аttаchеd to this еmаil and visit FеdEx
office indicated in the invoice. If the pасkagе
is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе
shipper.
Receipt Number: 98402839289
Eхpесted Delivеrу Dаte:
June 08th, 2016
Class: Intеrnаtional Paсkаge Sеrviсe
Servicе(s): Delivеrу
Cоnfirmation
Status: Notifiсatiоn
sent
Thank you for choosing our service
© FedEх
1995-2016
In this case there was an attachment
FedEx_track_98404283928.zip which unzipped into a folder
FedEx_track_98404283928 containing in turn a
malicious script FedEx_track_98404283928.js which (
according to Malwr) attempts to download a binary from one of the following locations:
www.brusasport.com/Brusa/vario/direct/teamviiverupdate2918372.exewww.microsoft.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.mega.net/Brusa/vario/direct/teamviiverupdate2918372.exe
www.google.com/Brusa/vario/direct/teamviiverupdate2918372.exe
www.yahoo.com/Brusa/vario/direct/teamviiverupdate2918372.exe
Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of
5/56 but automated analysis
[1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:
secure.adnxs.metalsystems.it
upfd.pilenga.co.uk
These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on
188.165.157.176:
organisation: ORG-NQ1-RIPE
org-name: Kitdos NOC
org-type: OTHER
address: UNKNOW
address: UNKNOW UNKNOW
address: US
e-mail: kitdos.com@gmail.com
abuse-mailbox: kitdos.com@gmail.com
phone: +33.188866688
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
created: 2016-02-04T03:22:05Z
last-modified: 2016-02-23T13:14:14Z
source: RIPE
Other hijacked subdomains on the same IP are:
tgr.tecnoagenzia.eu
bmp.pilenga.co.uk
maps.pilenga.co.uk
sundication.twitter.luigilatruffa.com
tit.pilenga.net
trw.pilenga.net
ocsp.pilenga.net
plda.pilenga.net
maps.pilenga.mobi
plda.pilenga.mobi
This Tweet from
@pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for
more than a month.
Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy.
As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.
Recommended blocklist:
188.165.157.176/30