Tuesday, December 4, 2012

FedEx Phishing - FakeAV

The Email

Lots of people have been getting emails that claim you have a package from FedEx, and in order to retrieve the package you must check their invoice. Below is an example of the email:

If you fell for the email and clicked the link to retrieve the postal receipt the page will direct you to a zip archive called 'Postal-Receipt.zip' which contains the malicious Exe

 

Some of the domains linked to in the Emails are

quitcigarettes4good[.]com
174.132.99.162

karthikimpex[.]com
174.121.37.123

mailguardian.com[.]au
175.45.134.28

lifestyle.bplaced[.]net
176.9.52.229

exodionline[.]com
64.37.52.84

edostatenationalassociationofireland[.]com
46.252.207.1




 The Attachment

 






File: Postal-Receipt.zip
Size: 31398
MD5:  DCEFC82EF60639AA821378D4BDC58EFC
FileType: Zip file
https://www.virustotal.com/file/2e3cc6664ef47521e4fb944013af388a91685a395021933eb381f8c3714a339b/analysis/


Here's what the exe in the Zip archive looks like once extracted. Clearly not a word document.




















File: Postal-Receipt.exe
Size: 53248
MD5:  6B02ED78EF103CAE39D6FBBD13EF1AFD
Compiled Date: Sat, Dec 1 2012, 21:42:32  - 32 Bit
https://www.virustotal.com/file/a351d4e5cbbd1829aa46d4666309bfd0b11068e5c8815892723a11edac74afd7/analysis/

Post Infection

A quick screenshot depicting what the callbacks look like across the wire. The parameter is just a long series of hex which likely will initiate the download of the next payload since the attachment is likely just the dropper

Observed beacons to the following

140.135.66.217:8080
211.172.112.7:8080
82.113.204.228:8080
59.126.131.132:8080
59.25.189.234:8080
61.222.241.208:8080
81.93.248.152
103.4.225.41
5.104.106.56 - forserer1.tk


UPDATE

So it's definitely VM aware, but I sandboxed it and got the stage 2 payload.  FakeAV campaign




 




File: update.exe
Size: 573440
MD5:  24AF8A9423DC3A89E6D816C4DA3DAE95
Compiled Date: Dec 4 19:34:01 2012 (Tue)
https://www.virustotal.com/file/069d3e48010d6ef93f14c3d5e52ca2649c48fcc983f92be8236459324a69ef59/analysis/1354672077/

Stage 2 Domains/IPs
 
gilbillingpay.com - serves the FakeAv license page
178.162.170.132 

Some screenshots







That's the initial stuff anyways...I'll get more info later...Plus since it appears to be a huge campaign there will probably be dozens of other people providing some of the same info and more...




Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)