Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Canada Post or USPS mail service email claims they attempted to deliver your item and provides links to get tracking information.

Links go to malicious fake MS Word document and zip file containing an executable virus or trojan horse. Versions with zips contain an scr virus or trojan horse.

Spoofs canadapost.com or usps.gov in From headers.


Subject:  Scheduled package delivery failed / 27 feb 2014  (Canada Post Version)

 Dear customer,

We attempted to deliver your item on February 27, 2014 , 05:30 PM.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the nearest Canada Post office with the printed shipping inboice mentioned below.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
TRACKING Number: MW421330771CA

Expected Delivery Date: February 27, 2014
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

An electronic copy of the shipping invoice can be downloaded from our website , in :
PDF format : http:// www.canadapost.ca /cpotools/apps/track/personal/findInvoiceByTrackingNumber
?session_id=7002101982901&trk=MW421330771CA&file_format=PDF
DOC format : http://www.canadapost.ca /cpotools/apps/track/personal/findInvoiceByTrackingNumber
?session_id=7002101982901&trk=MW421330771CA&file_format=DOC

To check on the delivery status of your mailing or arrange redelivery please visit the following
URL:
http:// www.canadapost.ca /cpotools/apps/track/personal/findByTrackNumber?execution=e9s1

Thank you,
© 2014 Canada Post Corporation

*** This is an automatically generated email, please do not reply ***

Picture of fake canada post mail email about a failed delivery attempt with malware.


Subject: USPS √ Missed package delivery  (USPS Variant)

 We attempted to deliver your item at 09:32 am on Apr 22th, 2014.
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
You may arrange redelivery by visiting the link below or pick up the item at the U.S. Post Office indicated on the receipt.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.
Label/Receipt Number: US7631947EU
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

Print this label to get this package at our post office.

Thank you,
© 2014 Copyright© 2013 USPS. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

US7631947EU.zip (9)

Header Examples:

Spoofs canadapost.com in From headers and has something else like efax.com in Envelope.

Received: from 115.Red-79-159-200.staticIP.rima-tde.net [79.159.200.115]
X-Envelope-From: messages @efax.com
From: "Canada Post" <tracking @canadapost.com>
Subject: Scheduled package delivery failed / 27 feb 2014

Received: from QTVQJBDO [96.63.0.254]
X-Envelope-From: messages @efax.com
From: "Canada Post" <tracking @canadapost.com>
Subject: Scheduled package delivery failed / 27 feb 2014

USPS versions had koi-8 russian charset headers, and used random junk in the Envelope header.

Received: from pc-20-42-241-201.cm.vtr.net [201.241.42.20]
   X-Envelope-From: whithersabg0319 @rado.com
   From: =?koi8-r?B?k1VTUFMgRXhwcmVzcyBTZXJ2aWNlcyI=?= <service-notification @usps.gov>
   Subject: =?koi8-r?B?VVNQUyCWIE1pc3NlZCBwYWNrYWdlIGRlbGl2ZXJ5?=

Received: from cpc31-cosh11-2-0-cust521.6-1.cable.virginm.net [86.1.186.10] X-Envelope-From: festivejo2 @roldeco.com From: =?koi8-r?B?k1VTUFMgRXhwcmVzcyBTZXJ2aWNlcyI=?= <service-notification @usps.gov> Subject: =?koi8-r?B?VVNQUyCWIE1pc3NlZCBwYWNrYWdlIGRlbGl2ZXJ5?=

Malware

28 October 2014

Attachment : US3872461EU.zip containing US28072014EU.exe (Looks like Upatre)

VirusTotal report

AegisLab 	Troj.Spy.W32.Zbot
ESET-NOD32 a variant of Win32/Kryptik.COOO
McAfee Upatre-FAAA!CE92D6843225
McAfee-GW BehavesLike.Win32.Downloader.mm
Qihoo-360 HEUR/QVM20.1.Malware.Gen

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

What I saw:

reported to: 
188.165.214.6:19916

downloaded more:
comercialjaba.com/css/2810us2.oss
smartubeconduit.com/uploads/media/2810us2.oss

decyryped an .oss file to user/local settings/cftuc.exe

interesting string : last 14 years. I have been working on other

Subsequently downloaded and decrypted executable : cftuc.exe (looks like Gozi / Vawtrak)

Big thanks to Yonathan Klijnsma (‏@ydklijnsma) for cluing me in on what the Gozi / Vawtrak connection.

VirusTotal report 

Bkav 		HW32.Packed.9A80
ESET-NOD32 a variant of Win32/Kryptik.COOH
Qihoo-360 Malware.QVM20.Gen
Rising PE:Malware.XPACK-HIE/Heur!1.9C48
Symantec Suspicious.Cloud.5

Malwr.com report 

What I saw:

Nothing happens until you open a browser, then every page-load or so, additional traffic goes to

forgerd.com/handlers/02/data/...	89.108.88.137 Russia
puppona.pw/handlers/00/data/... 109.234.154.238 Russia
pappiofi.com/handlers/00/data/... 178.21.8.189 Russia
kirasovra.com/handlers/00/data/... 46.183.149.36 Netherlands
plikorset.com/handlers/00/data/... 178.21.8.189 Russia
ikloders.com/handlers/00/data/...
lopedre.com/handlers/00/data/...
mukolwas.com/handlers/00/data/...

22 April 2014

Attachment : USPS variant with US7631947EU.zip containing US7631947EU.scr

VirusTotal report | Malwr.com report

27 February 2014 

Malicious link : Multiple Malware forms

This Canada Post variant email came with a link to TWO (2) forms of malware, a malicious .doc file and an exe-in-zip. The link text said www.canadapost.ca/cpotools/apps.... but pointed to URLs like:

annoying-client.com /pdf_trk_MW421330771CA.zip
annoying-client.com /traking_doc_MW421330771CA.doc
pdf_trk_MW421330771CA.zip contained pdf_trk_MW421330771CA.pif which was a win32 portable executable:

VirusTotal report | Malwr.com report | File-Analyzer.net report

traking_doc_MW421330771CA.doc is a malicious fake MS Word document.

VirusTotal report | Document-Analyzer.net report 

 If this was at least a little helpful, how about a +1, Like, or Tweet?