Over the past couple of days, cybercriminals have launched two consecutive malware campaigns impersonating DHL in an attempt to trick users into thinking that they’ve received a parcel delivery notification. The first campaign comes with a malicious attachment, whereas in the second, the actual malicious archive is located on a compromised domain.
Sample screenshot of the the first spamvertised template:
Sample screenshot of the second spamvertised template:
Detection rate for the malicious executable:
MD5: 85f908a5bd0ada2d72d138e038aecc7d – detected by 12 out of 45 antivirus scanners as Backdoor.Win32.Androm.pta.
Once executed, it phones back to hxxp://seantit.ru/new/gate.php (126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168) and also downloads hxxp://seantit.ru/ya.exe (22.214.171.124) MD5: be52e7e38b9b467c51972cc841e7e487 – detected by 23 out of 46 antivirus scanners as Trojan:Win32/FakeSysdef.
Responding to the same IP are also the following domains part of the campaign’s infrastructure:
seantit.ru (Name server: ns1.secrettappes.com – 126.96.36.199 – Email: firstname.lastname@example.org; Name server: ns1.insectiore.net – 188.8.131.52 – Email: email@example.com) is also known to have responded to the following IPs:
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.