{"id":7245,"date":"2012-06-26T17:04:35","date_gmt":"2012-06-27T00:04:35","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7245"},"modified":"2018-10-05T11:08:34","modified_gmt":"2018-10-05T17:08:34","slug":"spamvertised-dhl-express-parcel-tracking-notification-emails-serving-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/06\/26\/spamvertised-dhl-express-parcel-tracking-notification-emails-serving-malware\/","title":{"rendered":"Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware"},"content":{"rendered":"

Remember the “Spamvertised \u2018DHL Package delivery report\u2019 emails serving malware<\/strong><\/a>” campaign profiled earlier this month?<\/p>\n

It seems that another cybercrime gang has started impersonating DHL in an attempt to serve malware to the millions of spamvertised end and corporate users.<\/p>\n

More details:<\/p>\n

<\/p>\n

Screenshot of the currently spamvertised email:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Just like the previous campaign impersonating DHL, this one is also relying on attached .zip file containing the actual malware.<\/p>\n

DHL-Details.exe – MD5: 89bec26d1f7d711eda39437612568319<\/strong><\/a> detected by 33 out of 42 antivirus scanners as Trojan-Spy.Win32.Zbot.dzrx; Trojan.Zbot<\/p>\n

Upon execution the sample creates the following files on the infected host:<\/p>\n

%AppData%Ceydalysluiv.tmp – MD5: D6965F59B8D78DC0B8CB747F0F2878E3<\/strong>
\n%AppData%Ceydalysluiv.zia – MD5: 9F17BD86F8A772DC0B6A3CF0CCDCE2FC<\/strong>
\n%AppData%Obbiosetamys.exe – MD5: 66F2DD0D1366A95EBD120558AC3F5585<\/strong>
\n%Temp%tmpefdf2dea.bat – MD5: 489504C649766ECC691C4EEB3F86910C<\/strong><\/p>\n

It also phones back to the following URL located in Russia –\u00a0178.208.81.242\/heinz\/varieties\/opt.php<\/strong> – AS35415, MCHOST-NET, Russian Federation<\/p>\n

Webroot Secure Anywhere<\/strong><\/a> users are proactively protected from this threat.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/a><\/strong>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Remember the “Spamvertised \u2018DHL Package delivery report\u2019 emails serving malware” campaign profiled earlier this month? It seems that another cybercrime gang has started impersonating DHL in an attempt to serve malware to the millions of spamvertised end and corporate users. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[3881,11475,11477,11473,3477,5717,5883,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7245"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=7245"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7245\/revisions"}],"predecessor-version":[{"id":25363,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7245\/revisions\/25363"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=7245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=7245"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=7245"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=7245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}