2017-04-18 - USPS-THEMED MALSPAM RESUMES AFTER WEEKEND BREAK

ASSOCIATED FILES:

BACKGROUND ON THIS CAMPAIGN:

NOTES FOR TODAY:

 


Shown above:  Flowchart for this infection traffic.

 

EMAILS


Shown above:  Example of the emails seen today.

 

DATES/TIMES:

EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):

EXAMPLES OF SUBJECT LINES:

 

TRAFFIC


Shown above:  Fake Word online site sends an executable file (Zeus Panda Banker).

 


Shown above:  Fake Word online site sends a zip archive containing a .js file (JavaScript to load Zeus Panda Banker, Kovter, and Miuref/Boaxxe).

 


Shown above:  Traffic from an infection where the fake Word online site sends an executable.

 


Shown above:  Alerts from an infection where the fake Word online site sends an executable.

 


Shown above:  Traffic from an infection where the fake Word online site sends a zipped .js file.

 


Shown above:  Alerts from an infection where the fake Word online site sends a zipped .js file.

 

LINKS FROM THE EMAILS:

 

REDIRECTS LEADING TO FAKE WORD ONLINE PAGES:

 

FAKE WORD ONLINE PAGES AND MALWARE DOWNLOADS:

 

PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE (AND PROBABLY OTHER FAKE WORD ONLINE SITES):

 

FILE HASHES

EXAMPLE OF ZIP ARCHIVE FROM FAKE WORD ONLINE SITE:

 

EXTRACTED .JS FILE FROM THE ABOVE ZIP ARCHIVE:

 

EXAMPLES OF MALWARE DOWNLOADED BY THE EXTRACTED .JS FILE:

 

EXAMPLE OF EXECUTABLE FROM FAKE WORD ONLINE SITE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.