Thursday, October 18, 2012

UPS spam downloads malware


Yes, you've read the title right. Not the usual spam/malware attachment, but in fact just a picture of UPS... which of course is clickable.

But wait! Seems like the bad guys forgot a letter in their HTML (facepalm). I received the following mail:

Subject of spam email: UPS #Print your postal label














Since they forgot the "h" in "http", the image is incorrectly displayed. What it should have been:

Your package was not delivered. You are asked to print the label 














The mail  is coming from (related to the Asprox botnet):
70.75.216.19 - IPVoid Result

What happens when you click on the "Print a shipping label" (or what it should have been):

Copy_of_UPS_Label.zip

A ZIP file gets saved, but you still need to open it and execute the file to become infected...


Copy_of_UPS_Label.exe






Result: 13/43
MD5: 2e9755cfce544627fbfd3be07af5d7d9
Anubis Report
Malwr Report
ThreatExpert Report 


If the file gets executed, it drops a copy of itself to the %appdata% folder and tries to connect to the following IPs:

46.105.112.99:8080 - IPVoid Result
50.22.136.150:8080 - IPVoid Result
78.46.31.53:8080 - IPVoid Result
173.224.211.194:8080 - IPVoid Result
178.77.103.54:8080 - IPVoid Result
184.154.20.226:8080 - IPVoid Result
188.165.212.160:8080 - IPVoid Result
202.169.224.202:8080 - IPVoid Result
217.160.236.108:84 - IPVoid Result


Also when executing the file, an instance of svchost (malware injected into it, thanks to SteveK for the headsup) gets started and opens an empty Notepad file:
Empty Notepad file created by the malware


If anyone has an idea on the why of this,be sure to let me know. Maybe to convince you it's really a UPS label after all? Second fail of the day, should have at least included some rubbish text in there.

This malware is known as Kuluoz, which can download and install additional malware on your system.


Conclusion


Pretty simple. Never open any emails from unknown senders, do not click on any links and certainly do not open any attachments.

Bells should be ringing already when you have not ordered anything. Always be wary when receiving mails where you need to click on a link or open an attachment to view this or that. Ask yourself:
"does this look legit?" If the answer is no, you know what to do.



4 comments:

  1. Hey Bart, the svchost.exe is not innocent. It has the trojan thread in it. Basically this is a 2 level injector, the first child is suspended where the code the packager is injected, then this child resumes and injects into svchost.exe the final stage of the injection. Notepad is launched after the original file is replaced with an empty text file.

    This is typical nowadays to attempt to trick the user into thinking they opened a blank and benign document. It's unusual in that this attackers appears uber lazy.

    ReplyDelete
    Replies
    1. Hi Steve,

      Thanks for your reply! I just assumed it was a legit (renamed copy of rundll to) svchost that was just launching the Notepad file (simple filenamecopy of the dropper)
      That's why I didn't check svchost for any injected threads.

      I haven't seen this trick (well except PDF exploits) to fool the users, but of course it makes perfect sense. It does appear that this gang was indeed lazy.

      Cheers!

      Delete
  2. If you leave the computer running & connected to the internet long enough (up to 5 minutes) you will be prompted that your computer is infected and you need to install a fake AV to get rid of them. If you don't install it manually, it kills all unneccessary processes and installs anyway. It "scans your computer, finds viruses" and tells you to buy the program to remove them. Looks to be phishing malware looking for some money.

    ReplyDelete
    Replies
    1. Also, some strains of it scans & connects to every mail exchange server you can think of, sending email as spoofed addresses. And, with some variants, the notepad will have text (string of l's [llllllllllllllll]) and the original email has white text below the image (white text on white background = unseen) most likely to avoid spam filters.

      Delete