Fake ‘FedEx Tracking Number’ themed emails lead to malware

by

Share this news now.

At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC.

This time they didn’t try impersonating USPS, UPS or DHL, but FedEx.

More details:

Sample screenshot of the spamvertised email:

FedEx_Tracking_Number_Email_Spam__Malware

Second screenshot of a sample spamvertised email, again, part of the same campaign:

FedEx_Tracking_Number_Email_Spam__Malware_Second_Email_Template

Third screenshot of a sample spamvertised email used in the campaign:

FedEx_Tracking_Number_Email_Spam__Malware_Third_Email_Template

Sample spamvertised compromised URLs participating in the campaign:
hxxp://www.daikychi.de/LTDVVFONLS.html
hxxp://www.brunobassettocarni.it/ZBQJPKZVFG.html
hxxp://panexpress.es/BFLYQUDUJI.html
hxxp://milrecados.com/SWVOXIGJEV.html
hxxp://watertaxis.mobi/APQTJNWNPV.html
hxxp://dhacdooyinka.com/WERGLIHRLG.html
hxxp://cantoncityutah.com/OXSJOVVYOE.html
hxxp://www.supporttechnologies.co.in/RNNDHDKSZT.html
hxxp://affiliate-erfolg.de/KQEZOOWAYE.html
hxxp://moebel-bergen.de/TGBSSWXALL.html
hxxp://thebusinessplus.com/MUTBQJADRE.html
hxxp://btv-bosseln.de/EJWFBEEBWI.html
hxxp://howardwindfarm.com/SYMUADLPDU.html
hxxp://atimbershop.com/GULSHSFCHM.html
hxxp://reenhaneck.narod.ru/RAPNCDDKMX.html
hxxp://mylauren.com/CCOSGTLVTA.html

Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 – detected by 35 out of 46 antivirus scanners as Trojan.Win32.Buzus.mruv

Upon execution, it phones back to the following URLs:

hxxp://91.121.90.80:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D541
hxxp://84.40.69.119:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D541
hxxp://211.172.112.7:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D54

Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa – detected by 37 out of 46 antivirus scanners as Trojan-Dropper.Win32.Dapato.bxhg

Upon execution, it phones back to the following URLs:

hxxp://59.25.189.234:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D54
1
hxxp://140.135.66.217:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
hxxp://82.113.204.228:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
hxxp://59.126.131.132:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41

None of these IPs currently respond to any specific domains, besides 59.126.131.132.

songwriter.tw is currently responding to 59.126.131.132 – Email: songwriter.tw@gmail.com
Record expires on 2019-06-12 (YYYY-MM-DD)
Record created on 2009-06-12 (YYYY-MM-DD)

FedEx_Tracking_Number_Email_Spam__Malware__Compromised_Server

The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.

Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 – detected by 25 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B

We’ll continue monitoring the developments of the campaign, and post updates as soon as new campaigns are launched.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] Continuing their well proven social engineering tactic of impersonating the market leading courier services, cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails. [...]

  2. [...] finally, here's a recent example of a type of malicious email very similar to those flagged by Dancho Danchev earlier this [...]

  3. [...] here’s a new instance of a form of antagonistic email really identical to those flagged by Dancho Danchev progressing this [...]

  4. [...] finally, here's a recent example of a type of malicious email very similar to those flagged by Dancho Danchev earlier this [...]

  5. [...] malicious campaign impersonating FedEx topped our metrics data. What’s so special about this campaign? It’s the fact that the digital fingerprint of one of the most recently introduced malware [...]