At the end of October, a cybercriminal or group of cybercriminals launched three massive spam campaigns in an attempt to trick users into clicking on a deceptive link and downloading a malicious attachment. Upon execution, the malware phones back to the command and control servers operated by the party that launched it, allowing complete access to the infected PC.

This time they didn’t try impersonating USPS, UPS or DHL, but FedEx.

More details:

Sample screenshot of the spamvertised email:

FedEx_Tracking_Number_Email_Spam__Malware

Second screenshot of a sample spamvertised email, again, part of the same campaign:

FedEx_Tracking_Number_Email_Spam__Malware_Second_Email_Template

Third screenshot of a sample spamvertised email used in the campaign:

FedEx_Tracking_Number_Email_Spam__Malware_Third_Email_Template

Sample spamvertised compromised URLs participating in the campaign:
hxxp://www.daikychi.de/LTDVVFONLS.html
hxxp://www.brunobassettocarni.it/ZBQJPKZVFG.html
hxxp://panexpress.es/BFLYQUDUJI.html
hxxp://milrecados.com/SWVOXIGJEV.html
hxxp://watertaxis.mobi/APQTJNWNPV.html
hxxp://dhacdooyinka.com/WERGLIHRLG.html
hxxp://cantoncityutah.com/OXSJOVVYOE.html
hxxp://www.supporttechnologies.co.in/RNNDHDKSZT.html
hxxp://affiliate-erfolg.de/KQEZOOWAYE.html
hxxp://moebel-bergen.de/TGBSSWXALL.html
hxxp://thebusinessplus.com/MUTBQJADRE.html
hxxp://btv-bosseln.de/EJWFBEEBWI.html
hxxp://howardwindfarm.com/SYMUADLPDU.html
hxxp://atimbershop.com/GULSHSFCHM.html
hxxp://reenhaneck.narod.ru/RAPNCDDKMX.html
hxxp://mylauren.com/CCOSGTLVTA.html

Sample detection rate for the first sample: MD5: 0e2e1ef473bb731d462fb1c8b3dd7089 – detected by 35 out of 46 antivirus scanners as Trojan.Win32.Buzus.mruv

Upon execution, it phones back to the following URLs:

hxxp://91.121.90.80:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D541
hxxp://84.40.69.119:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D541
hxxp://211.172.112.7:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EDFF413C82D54

Sample detection rate for the second sample: MD5: ab25d6dbf9b041c0a7625f660cfa17aa – detected by 37 out of 46 antivirus scanners as Trojan-Dropper.Win32.Dapato.bxhg

Upon execution, it phones back to the following URLs:

hxxp://59.25.189.234:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D54
1
hxxp://140.135.66.217:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
hxxp://82.113.204.228:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41
hxxp://59.126.131.132:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97EEF7413C82D5
41

None of these IPs currently respond to any specific domains, besides 59.126.131.132.

songwriter.tw is currently responding to 59.126.131.132 – Email: songwriter.tw@gmail.com
Record expires on 2019-06-12 (YYYY-MM-DD)
Record created on 2009-06-12 (YYYY-MM-DD)

FedEx_Tracking_Number_Email_Spam__Malware__Compromised_Server

The domain seems to be a legitimate Taiwanese songwriting company/individual, indicating that their server has been compromised and is currently used as command and control server.

Sample detection rate for the third sample: MD5: 252c797959273ff513d450f9af1d0242 – detected by 25 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B

We’ll continue monitoring the developments of the campaign, and post updates as soon as new campaigns are launched.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This