Your Order - Fake DHL Malware

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

A fake DHL Pack Station email claims a shipment label was printed for delivery.

The links go to compromised websites which automatically download a zip containing an EXE trojan horse or virus.

Very similar to the fake American Airlines ticket series with malware links.

This is the successor to the fake Fedex Tracking "parcel arrived" or "unable to deliver" / "postrider" series.

http://techhelplist.com/index.php/spam-list/92-number-nww68-884-953-1140-7313

The successor to this DHL Pack Station series is possibly the "UPS Parcel has been Send" series.

http://techhelplist.com/index.php/spam-list/248-your-parcel-has-been-send-virus

Around 5 August 2013, the same emails started using "DHL Express" instead of "DHL Pack Station".

The website the link in this email goes to can act differently for mobile browsers. It uses the user-agent to tailor the content to the victims device. Don't mess with these using a smartphone!

See this discussion at stackexchange:

http://security.stackexchange.com/questions/35983/malicious-links-that-respond-to-browsers-but-not-curl-or-wget

This is  part of the Asprox botnet. Check out Rebus Snippets' excellent writeup of the Asprox Malware system.


Subject: Your Order

Subject: Order Shipped

Subject: Order Detail

Subject: Tracking Information

Subject: Order has been completed

Subject: Shipping Exception Notification

Subject: Mail Exception Notification

Subject: Shipping Delivery Notification

Subject: Tracking Notification

Subject: Logistics Delivery Notification

Subject: Tracking Detail (I)SQK92 081 195 4697 3878

Subject: Number (L)QGQ67 819 165 4629 7895

Subject: Tracking Number (K)FDT32 826 868 5284 7461

Subject: Tracking ID (C)FE33 068 655 3124 8165

If the links are not working, please move message to  "Inbox" folder.

[DHL logo] [Pack Station]
20.04.2013

DHL Ship Shipment Notification

On April 18, 2013 a shipment label was printed for delivery.

The shipment number of this package is 91654688.

To get additional info about this shipment use any of these options:

1) Click the following URL in your browser:

Get Shipment Info

2) Enter the shipment number on tracking page:

Tracking Page

For further assistance, please call DHL Customer Service.

For International Customer Service, please use official DHL site.

Disclaimer:

This message was created by DHL Ship, a product of DHL, at the request

of the sender. No authentication of email address has been performed.

[DHL Logo and copyright footer]

Picture of fake DHL pack station virus email version1.

Picture of fake DHL pack station virus email version2.

Picture of fake DHL pack station virus email version 3.

Picture of fake DHL pack station virus email version 4, new slick small layout.


The DHL Express version (started showing up around 5 Aug 2013?

Subject: Tracking Info

Clickable links don't work? Move message to "Inbox" folder!

DHL
EXPRESS

DOWNLOAD
MAILING LABEL
DETAILS FOR PACKAGE
DATE & TIME
STATUS
TRACK ID
2013-08-01 at 11:59
Shipment not delivered
0010572472
Dear Customer, your package has arrived on August 1st, but messenger
was unable to deliver the package to you, for more detailed information,
please, download and read mailing label.

2013 DHL International GmbH. All rights reserved.

Picture of Express DHL Asprox malware email, a variant of the Pack Station series.

Same great color, worse layout.

 


Headers samples: There are some similarities with the fake American Airlines confirmation emails with malware links also.

 

Received: from hosting.ru-realty.com ([88.151.184.104]
X-Envelope-From: webmaster @variant.nov.ru
From: "Support Team" <support @movilpost.com>

Received: from faxpost.com [98.150.193.86]
X-Envelope-From: support @faxpost.com
From: "Support Team" <support @faxpost.com>

Received: from recetadepostre.com [209.80.128.178]
X-Envelope-From: support @recetadepostre.com
From: "Support Team" <support @recetadepostre.com>

Received: from vnit-web.vnit.ac.in ([210.212.165.236]
X-Envelope-From: vnit-web @vnit.ac.in
From: "Airlines" <client-546 @onlineticketbroker.com>

Received: from wffw.info [88.198.108.104]
X-Envelope-From: www-data @wffw.info
From: "Support Team" <support @thegolfpost.com>

Received: from waterlesscompostingtoilet.com [24.172.42.222]
X-Envelope-From: support @waterlesscompostingtoilet.com
From: "Support Team" <support @waterlesscompostingtoilet.com>

Received: from s9.gw2000.nl [213.175.223.166]
X-Envelope-From: fotovose @s9.gw2000.nl
From: "Support Team" <support @cruisersoutpost.com>

Received: from techposting.com [69.172.250.30]
X-Envelope-From: support @techposting.com
From: "Support Team" <support @techposting.com>

Received: from mail.ghborcahuy.in [108.178.59.78]
X-Envelope-From: fredrick @ghborcahuy.in
From: Fredrick <Fredrick @ghborcahuy.in>

Received: from linweb.ahost.me [94.136.40.100]
X-Envelope-From: 675516 @linweb.ahost.me
From: "Support Team" <support @filmposterauction.com>

Received: from stalwart.jifa.cz [77.78.98.2]
X-Envelope-From: apache @stalwart.jifa.cz
From: "Support Team" <support @clicheposters.com>

Received: from armchairoutpost.com ([65.254.213.100]
X-Envelope-From: support @armchairoutpost.com
From: "Support Team" <support @armchairoutpost.com>

Received: from postcardyourway.com [98.252.179.171]
X-Envelope-From: support @postcardyourway.com
From: "Support Team" <support @postcardyourway.com>

Received: from raleight.com (c-71-205-208-185.hsd1.mi.comcast.net [71.205.208.185]) X-Envelope-From: support_217 @raleight.com From: "First-Class Mail Service" <support_217 @raleight.com>

Link example:

Links go to places like (notice the pattern?)

http:// www.sv-adler-jugend.de /images /index.php? info=856_1493680062
http:// www.weschnitzkinder.de /images /index.php? get_info=4_166963088
http:// parafia.klimontow.pl /images /index.php?get_info=ss00_323
http:// eumpharma.com /images /index.php?info=845_7066307
http:// www.crienen.nl /images /index.php?info=845_1450950792
http:// longgaquan.com /images /index.php?get_info=ss00_323
http:// eumpharma.com /images /index.php?info=845_31391526
http:// aptekapanacea.ru /images /index.php?get_info=ss00_323
http:// suntechnology.hu /images /index.php?info=833_708529882
http:// www.sv-adler-jugend.de /images /index.php?info=856_1493680062
http:// www.uniwersytet.spirytyzm.pl /images /index.php?info=833_1605962506
http:// www.zs6.eu /images /index.php?get_info=ss00_323
http:// www.espacioolazabal.com.ar /images /index.php?get_info=ss00_323
http:// mail.setec.gob.ec /images /index.php?info=833_655791810
http:// gckgruta.pl /images /index.php?get_info=4_166963088
http:// www.nasekorenine.si /images /index.php?info=845_7066307
http:// www.gpp1wola.naszeprzedszkole.org /images /index.php?info=845_31391526
http:// www.htsmiddelburg.co.za /images /index.php?get_info=4_166963088
http:// mail.setec.gob.ec/ images/ index.php? info=833_655791810
http:// www.espacioolazabal.com.ar /images /index.php? get_info=ss00_323
http:// hva-va.org /images /index.php? info=856_1870803989
http:// www.htsmiddelburg.co.za/ images/ index.php? info=833_1702962092
http:// www.k-anastasiou-sa.gr /images /index.php? info=833_1605962506
http:// www.celivre.org.br /images /index.php? get_info=4_166963088
http:// www.sportnet.is /images /index.php? get_info=ss00_323
http:// www.jewelryofasia.com /images /index.php ?info=845_31391526
http:// www.asacon.eu /images / index.php? info=833_708529882
http:// www.outletplytkowy.pl /images /index.php ?info=845_7066307
http:// h-faktor.de /templates /rssgets.php ?info=833_655791810
http:// jakvazatkravatu.cz /templates /rssgets.php ?get_info=ss00_323
http:// verschoor-oudshoorn.nl /templates /rssgets.php ?get_info=ss00_323
http:// stevenseagal.com /img /get.php ?info=885_31370198

Then, (windows, firefox or IE) automatically you are offered a download of:

Shipping-Detail.zip containing Shipping Detail.exe with MD5 of f27b3b05b52bacdceb1abede13579d07 with an icon like an MS Word document.

https://www.virustotal.com/en/file/9cb859786b675ee21920a56754ca37a929e479702574ebaf60fa8ad380fd2474/analysis/1366640577/

Avast 	Win32:Crypt-OQO [Trj]
Microsoft TrojanDownloader:Win32/Kuluoz.B
Symantec Trojan.Fakeavlock
Kaspersky Trojan-Downloader.Win32.Dofoil.pog
McAfee RDN/Generic.tfr!bx
Sophos Mal/Weelsof-D
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K

Delivery_Information_ID-004588020234-Z31.zip containing Delivery_Information_ID-004588020234-Z31.exe with MD5 of c95e5769048b88934423ef8b4083f384

https://www.virustotal.com/en/file/b9a4d1d4d9f47959658256d7e6f128250342a59df7edf0e921f166a671fc0f06/analysis/1368113016/

Avast 	Win32:Kryptik-LPM [Trj]
Fortinet W32/Dofoil.B!tr.dldr
Microsoft TrojanDownloader:Win32/Kuluoz.B
Symantec Trojan.Fakeavlock
Kaspersky Trojan-Downloader.Win32.Dofoil.pxb
McAfee RDN/Generic.tfr!cp
McAfee-GW-Edition RDN/Generic.tfr!cp
ClamAV BC.Heuristic.Trojan.SusPacked.BF-6.A

Mobile browsers can be sent something else entirely!

Android:

Application.apk with MD5 of 3ffa39687b28f3e6993fe6ae218b91c9 was downloaded thru yet-another cracked website.

http://anubis.iseclab.org/?action=result&task_id=15831933beb49d4a4a141eb80072b9c02&format=html#screenshots

Here's one I got on 5 July 2013: https://www.virustotal.com/en/file/69b262ccf257ac36aeb446680f192c19163c748d1d677f244d1a9d40d08ea177/analysis/1373041653/

McAfee     Artemis!57676378D34E    
Avast     Android:FkDefend-A [Trj]   
Sophos     Andr/FkDefend-A

Hope this was helpful.

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity