{"id":10672,"date":"2013-04-25T00:00:43","date_gmt":"2013-04-25T07:00:43","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=10672"},"modified":"2018-10-05T12:30:53","modified_gmt":"2018-10-05T18:30:53","slug":"fake-dhl-delivery-report-themed-emails-lead-to-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/04\/25\/fake-dhl-delivery-report-themed-emails-lead-to-malware\/","title":{"rendered":"Fake ‘DHL Delivery Report’ themed emails lead to malware"},"content":{"rendered":"

Over the past couple of days, cybercriminals have launched two consecutive malware campaigns impersonating DHL<\/strong><\/a> in an attempt to trick users into thinking that they’ve received a parcel delivery notification. The first campaign comes with a malicious attachment, whereas in the second, the actual malicious archive is located on a compromised domain.<\/p>\n

More details:<\/p>\n

Sample screenshot of the the first spamvertised template:<\/strong><\/p>\n

\"Fake_DHL_Delivery_Notification_Email_Spam_Malware_Social_Engineering\"<\/a><\/p>\n

Sample screenshot of the second spamvertised template:<\/strong><\/p>\n

\"Fake_DHL_Delivery_Notification_Email_Spam_Malware_Social_Engineering_01\"<\/a><\/p>\n

Detection rate for the malicious executable:<\/strong>
\nMD5: 85f908a5bd0ada2d72d138e038aecc7d<\/strong><\/a> – detected by 12 out of 45 antivirus scanners as Backdoor.Win32.Androm.pta.<\/p>\n

Once executed, it phones back to hxxp:\/\/seantit.ru\/new\/gate.php<\/strong> (67.174.162.23; 113.161.74.243; 5.175.142.32; 5.175.143.42; 202.180.52.3) and also downloads hxxp:\/\/seantit.ru\/ya.exe<\/strong> (202.180.52.3) MD5: be52e7e38b9b467c51972cc841e7e487<\/strong><\/a> – detected by\u00a023 out of 46 antivirus scanners as Trojan:Win32\/FakeSysdef.<\/p>\n

Responding to the same IP are also the following domains part of the campaign’s infrastructure:
\nindependinsy.net<\/strong>
\nconfideracia.ru<\/strong>
\ngatoversignie.ru<\/strong>
\nprogramcam.ru<\/strong>
\ncondalinaradushko.ru<\/strong><\/p>\n

seantit.ru<\/strong> (Name server: ns1.secrettappes.com<\/strong> – 209.140.18.37 – Email: calnroam2@yahoo.com<\/em>; Name server: ns1.insectiore.net<\/strong> – 209.140.18.37 – Email: conaninfo@rocketmail.com<\/em>) is also known to have responded to the following IPs:
\n5.175.142.32
\n5.175.143.42
\n66.230.163.135
\n67.174.162.23
\n86.95.203.184
\n94.249.206.117
\n108.174.197.91
\n111.118.185.166
\n186.115.144.123
\n202.180.52.3
\n206.174.122.15<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from this threat.<\/p>\n

You can find more about Dancho\u00a0Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Over the past couple of days, cybercriminals have launched two consecutive malware campaigns impersonating DHL in an attempt to trick users into thinking that they’ve received a parcel delivery notification. The first campaign comes with a malicious attachment, whereas in the second, the actual malicious archive is located on a compromised domain. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4037,14391,14389,4811,3871,3885,5257,11475,4065,3477,5717,12443,3875,5605,5615,5883,14387,14393,3529,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10672"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=10672"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10672\/revisions"}],"predecessor-version":[{"id":25657,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10672\/revisions\/25657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=10672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=10672"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=10672"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=10672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}