November 6, 2012 By Dancho Danchev

USPS ‘Postal Notification’ themed emails lead to malware

Cybercriminals are currently mass mailing millions of emails impersonating The United States Postal Service (USPS), in an attempt to trick its customers into downloading and executing the malicious .zip archive linked in the bogus emails.

Upon execution, the malware opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete control over the host.

More details:

Sample screenshot of the spamvertised email:

Spamvertised compromised URL: hxxp://www.unser-revier-bruchtorf-ost.de/FWUJKKOGMP.html

Actual malicious archive URL: hxxp://www.unser-revier-bruchtorf-ost.de/Shipping_Label_USPS.zip

Detection rate: MD5: 089605f20e02fe86b6719e0949c8f363 – detected by 5 out of 44 antivirus scanners as UDS:DangerousObject.Multi.Generic

Upon execution, the sample phones back to the following URLs:
hxxp://64.151.87.152:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://66.7.209.185:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://173.224.211.194:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://46.105.121.86:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://222.255.237.132:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://64.151.87.152:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://79.170.89.209:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://79.170.89.209:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://217.160.236.108:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://217.160.236.108:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://88.84.137.174:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://46.105.112.99:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://50.22.136.150:8080/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://130.88.105.45:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://91.205.63.194:41765/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://95.173.180.42:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://95.173.180.42:43456/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570
hxxp://217.160.236.108:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577B70452EC74D82B225022BB99287FFFA45E0F98E18AA3A71007E1FDA570

More malware variants are also known to have phoned back to the same IPs:
MD5: 54b574029cef8da99737fe8705597ac6 – detected by 23 out of 44 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 4f0bf97d890967d44ca6aec07f6bc752 – detected by 31 out of 43 antivirus scanners as Trojan.Win32.Agent.uloi
MD5: 96255178f15033362c81fb6d9b9c3ce4 - detected by 9 out of 44 antivirus scanners as Trojan-Dropper.Win32.Dapato.bupr
MD5: 54b574029cef8da99737fe8705597ac6 – detected by 23 out of 44 antivirus scanners as UDS:DangerousObject.Multi.Generic
MD5: 0282bc929bae27ef95733cfa390b10e0 – detected by 7 out of 44 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: ea8adf1d9c6a76b39c9a3e1a5e8826f0 – detected by 27 out of 42 antivirus scanners as Trojan.Win32.Yakes.bhhg
MD5: b4cd6c46d789c322876b6bb74ec62357 – detected by 32 out of 40 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.aad
MD5: 57d9b0652f253933df251624b3965c52 – detected by 33 out of 44 antivirus scanners as Trojan.Generic.KDV.762605
MD5: b99d77ea6c96f27da3d84e65149c3e28 – detected by 26 out of 41 antivirus scanners as Trojan.Win32.Yakes.bise
MD5: e40342f10b6aff36002996f3a3e88add – detected by 30 out of 44 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 36d30a8eea96881057ae795467fe561a – detected by 34 out of 44 antivirus scanners as Trojan.Win32.Yakes.bigs
MD5: b99d77ea6c96f27da3d84e65149c3e28 – detected by 26 out of 41 antivirus scanners as Trojan.Win32.Yakes.bise
MD5: 7e5a4754b1b7c285e812e37be1765c35 – detected by 29 out of 42 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.aal
MD5: 7cec1a12f0f3d6e6b41976cb955c209e – detected by 34 out of 44 antivirus scanners as Trojan.Win32.Yakes.bhjy
MD5: 7afc73de809387bc6d66434cbbb6bed3 – detected by 24 out of 35 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: ea8adf1d9c6a76b39c9a3e1a5e8826f0 – detected by 27 out of 42 antivirus scanners as Trojan.Win32.Yakes.bhhg
MD5: dbacc50ee3e42b24b45b9d8a7a7aaa4b – detected by 34 out of 44 antivirus scanners as Trojan.Win32.Yakes.bhij
MD5: 6d121b530bbf8ab026e7052a42ed644a – detected by 30 out of 42 antivirus scanners as Trojan.Win32.Yakes.bgvk
MD5: 54b574029cef8da99737fe8705597ac6 – detected by 23 out of 44 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 36d30a8eea96881057ae795467fe561a – detected by 34 out of 44 antivirus scanners as PWS-Zbot.gen.aow
MD5: e40342f10b6aff36002996f3a3e88add – detected by 30 out of 44 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.aao
MD5: 2e9755cfce544627fbfd3be07af5d7d9 – detected by 33 out of 43 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.aam
MD5: e40342f10b6aff36002996f3a3e88add – detected by 30 out of 44 antivirus scanners as Trojan.Generic.KDV.768818
MD5: cddd3267db116d9b8bb0954c40d45f2d – detected by 27 out of 44 antivirus scanners as Trojan.Generic.KDV.770707

Who’s behind this campaign? It’s the same cybercriminal/group of cybercriminals that launched the “Cybercriminals impersonate UPS, serve malware” campaign in August, 2012. Both campaigns are launched using identical tactics, and some of the listed MD5s are identical to the MD5s found in related campaigns impersonating UPS.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
true