Friday, 2 January 2015

FedEx Home Delivery Postal Notification malware

FedEx Home Delivery Postal Notification malware is now arriving in the form of a html email,
with a link to a website which auto-downloads a dangerous zip file:

Headers:

From: "FedEx Home Delivery" {support@fincaelsympatico.es}
X-Mailer: TWIG2.6.2
Reply-To: "FedEx Home Delivery" {support@fincaelsympatico.es}
Subject:
Postal Notification
Message body:

Dear Customer,

Your parcel has arrived at December 29. Courier was unable to deliver the parcel to you.
To receive your parcel, print this label and go to the nearest office.
       
Get Shipment Label


Clicking on the link with a Windows system gives you a zip file (name based on IP address location)

Label-Crewe.zip
Clicking on the link with an non-Widows system...the zip isn't downloaded...

Yes, Windows 9x...




On the Windows machine, Inside the zip, is Windows executable:
Label-Crewe.exe


VirusScanner Reports:
Md5 Hash:  eb0e95be3e03b5616ddd388c583c52b4
VirusTotal Report : [ 9 / 56] (a variant of Win32/Kryptik.CULP)
Malwr Report
Hybrid-Analysis Report

When the exe files runs, the following location is accessed:

IP: 217.106.239.250
Port 443
Location: Russian Federation

Best avoid this one...

Cheers,

Steve
Sanesecurity.com

No comments: