Remember the “Spamvertised ‘DHL Package delivery report’ emails serving malware” campaign profiled earlier this month?

It seems that another cybercrime gang has started impersonating DHL in an attempt to serve malware to the millions of spamvertised end and corporate users.

More details:

Screenshot of the currently spamvertised email:

Just like the previous campaign impersonating DHL, this one is also relying on attached .zip file containing the actual malware.

DHL-Details.exe – MD5: 89bec26d1f7d711eda39437612568319 detected by 33 out of 42 antivirus scanners as Trojan-Spy.Win32.Zbot.dzrx; Trojan.Zbot

Upon execution the sample creates the following files on the infected host:

%AppData%Ceydalysluiv.tmp – MD5: D6965F59B8D78DC0B8CB747F0F2878E3
%AppData%Ceydalysluiv.zia – MD5: 9F17BD86F8A772DC0B6A3CF0CCDCE2FC
%AppData%Obbiosetamys.exe – MD5: 66F2DD0D1366A95EBD120558AC3F5585
%Temp%tmpefdf2dea.bat – MD5: 489504C649766ECC691C4EEB3F86910C

It also phones back to the following URL located in Russia – 178.208.81.242/heinz/varieties/opt.php – AS35415, MCHOST-NET, Russian Federation

Webroot Secure Anywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This