2014-09-04 - PHISHING CAMPAIGN - SUBJECT: FEDEX | SHIPPING NOTIFICATION UPDATE [NUMBER]

ASSOCIATED FILES:

• ZIP of CSV spreadsheet for the emails seen:  2014-09-04-phishing-campaign-email-tracking.csv.zip
• ZIP of the pcap(s):  2014-09-04-phishing-malware-traffic.pcap.zip
• ZIP of the malware:  2014-09-04-phishing-malware.zip

 

NOTES:

• I noticed four of these today.  The emails have a Word document attachment with macros that download malware.
• These messages came through Canadian mail servers at 209.226.175.45 and 209.226.175.45.
• The header lines indicate a different origin, possibly 181.52.171.216 or 184.151.58.2, if that information isn't spoofed like the sending email address was.
• The official FedEx website warns about similar phishing emails at: http://www.fedex.com/us/security/prevent-fraud/email.html

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Marc Eubanks <25ndpoop@FedExShipping1.com>
Reply-To: Marc Eubanks <25ndpoop@FedExShipping1.com>
Date: Thursday, September 4, 2014 at 7:29 UTC
To: [redacted]
Subject: FedEx | Shipping Notification Update 1

Dear [redacted],
Unfortunately we failed to deliver a postal package to you that was sent on the 25th of August.
Please print out the invoice attached and collect the package at our office.

Marc Eubanks
Customer Service Department
Your Fedex
www.fedex.com

This email is protected by copyright and trademark laws under US and International law. All rights reserved 1995-2014 FedEx

Attachment: fedex invoice.doc (53 KB)

 

EMAIL HEADERS:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  fedex invoice.doc
File size:  39.2 KB ( 40139 bytes )
MD5 hash:  6a3c4d3bb4e07abe27a254f48feba132
Detection ratio:  3 / 54
First submission:  2014-09-04 12:28:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9bbcd4dd671871832a4ff4f16892799c488462e375f19b2a893b0dc2db0979d1/analysis/

 

DOWNLOADED MALWARE 1 OF 3:

File name:  beta.exe
File size:  187.5 KB ( 192000 bytes )
MD5 hash:  de4a8d9dac69f67ada65b6212d63c38c
Detection ratio:  11 / 55
First submission:  2014-09-04 11:47:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ff8b67338a0a59e690848dc2acb166949a906983023d4cd483125a5548c68b5b/analysis/

 

DOWNLOADED MALWARE 2 OF 3:

File name:  Microsoft.exe
File size:  1.4 MB ( 1425408 bytes )
MD5 hash:  b150d1fd3c57ab81c31d45ae381b5315
Detection ratio:  19 / 55
First submission:  2014-09-04 12:46:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c4c4efbed081dc29bc349988407306dcf94680c30dad7ae0da31a85fa9ca8b0/analysis/

 

DOWNLOADED MALWARE 3 OF 3:

File name:  loader2.exe
File size:  76.0 KB ( 77824 bytes )
MD5 hash:  3177aab3324276a161ad158aa0a701b6
Detection ratio:  16 / 55
First submission:  2014-09-04 16:31:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e61213bb8ee7894fad6813e34a5d2f36753a3dc644906324cc0db9d84b16ed85/analysis/

 

INFECTION TRAFFIC

EXECUTING THE MALWARE ON A WINDOWS 7 VM:

• 2014-09-04 22:51:18 UTC - 172.16.165.132:49160 - 94.102.52.186:80 - chinamanken.com - GET /exe/fedex.php
• 2014-09-04 22:51:18 UTC - 172.16.165.132:49161 - 94.102.52.186:80 - chinamannick.com - GET /exe/beta.exe
• 2014-09-04 22:52:24 UTC - 172.16.165.132:49163 - 94.102.52.186:80 - fapncam.com - POST /beta/order.php?page=42
• 2014-09-04 22:52:38 UTC - 172.16.165.132:49164 - 94.102.63.7:80 - 94.102.63.7 - GET /Microsoft.exe
• 2014-09-04 22:52:39 UTC - 172.16.165.132:49165 - 94.102.52.186:80 - chinamanken.com - GET /exe/loader2.exe
• 2014-09-04 22:52:44 UTC - 172.16.165.132:49170 - 37.48.64.33:80 - friedstresser.com - GET /links/chaos.txt
• 2014-09-04 22:52:45 UTC - 172.16.165.132:49172 - 173.194.46.65:80 - www.youtube.com - GET /watch?v=xz21Tr6UrzM
• 2014-09-04 22:54:55 UTC - 172.16.165.132:49328 - 173.194.46.65:80 - www.youtube.com - GET /watch?v=-8P-Tksy_q8

• Also saw repeated connection attempts over TCP port 8080 to 89.253.247.71 and 110.170.117.46 (all connection attempts reset by the server).

 

SNORT EVENTS FROM INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-09-04 22:52:24 UTC - 172.16.165.132:49163 - 94.102.52.186:80 - ETPRO TROJAN Win32/Neurevt.A Checkin 3 (sid:2807970)
• 2014-09-04 22:52:24 UTC - 172.16.165.132:49163 - 94.102.52.186:80 - ET TROJAN Win32/Neurevt Check-in 4 (sid:2018784)
• 2014-09-04 22:52:38 UTC - 94.102.63.7:80 - 172.16.165.132:49164 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-09-04 22:51:19 UTC - 94.102.52.186:80 - 172.16.165.132:49161 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-09-04 22:51:19 UTC - 94.102.52.186 - 172.16.165.132 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 2014-09-04 22:52:38 UTC - 94.102.63.7:80 - 172.16.165.132:49164 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-04 22:52:38 UTC - 94.102.63.7:80 - 172.16.165.132:49164 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-09-04 22:52:38 UTC - 94.102.63.7:80 - 172.16.165.132:49164 - [1:22002:5] FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected
• 2014-09-04 22:52:39 UTC - 94.102.52.186:80 - 172.16.165.132:49165 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of CSV spreadsheet for the emails seen:  2014-09-04-phishing-campaign-email-tracking.csv.zip
• ZIP of the pcap(s):  2014-09-04-phishing-malware-traffic.pcap.zip
• ZIP of the malware:  2014-09-04-phishing-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.