Users of FedEx’s Online Billing service, watch out!

Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails.

More details:

Sample screenshot of the spamvertised email:


Sample client-side exploits serving URL: hxxp://

Sample malicious payload dropping URL: hxxp://

Malicious domain name reconnaissance: – – Email:
Name Server: NS1.HTTP-PAGE.NET
Name Server: NS2.HTTP-PAGE.NET

Responding to the same IP ( are the following malicious domains:

We’ve already seen the same IP ( and name servers used in the following previously profiled malicious campaigns, indicating that they’ve been launched by the same party:

Upon successful client-side exploitation, the FedEx themed campaign drops MD5: c2f72ff5b0cf4dec4ce33e4cc65796b1 – detected by 22 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM.

Once executed, the sample creates the following files on the affected hosts:
C:Documents and Settings<USER>Application DataAlyszkiotp.exe
C:WINDOWSsystem32cmd.exe” /c “C:DOCUME~1<USER>~1LOCALS~1Temptmp5600c543.bat

It also creates the following mutexes:

The following Registry Keys:
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWABWAB4Wab File Name

It also attempts to connect to the following IPs:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This