Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake FedEx virus spam email claims the courier was unable to deliver your parcel and a shipment label is attached.

Attached zip contains a malicious javascript file to download several kinds of malware .


Subject: [your name], Delivery Notification, ID 000198889 

 FedEx ® 
Dear [ your name ],

Courier was unable to deliver the parcel to you.
Shipment Label is attached to this email.

Sincerely,
Jerome Hall,
FedEx Station Manager.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.

Label_000198889.zip (4)
Picutre of fake Fedex email with malicious js in zip attachment.

Header Examples:

The display name is made to look like FedEx, but the headers aren't spoofing anything useful.

Received: from smtp-imu2.infomaniak.ch [84.16.68.110]
X-Envelope-From: webmaster @moretgeom.ch
From: "FedEx SmartPost" <support @moretgeom.ch>
Subject: [your name], Delivery Notification, ID 000198889

Malware

16 December 2014 

Attachment : Label_000198889.zip containing Label_000198889.doc.js 

VirusTotal report 

Avast 		JS:Agent-DHL [Trj]
Kaspersky Trojan-Downloader.JS.Agent.hch
McAfee JS/Downloader-BNW
Sophos Troj/JSDldr-V

The javascript file, original and deobfuscated can be seen at this pastebin. But basically it downloads 3 executables:

aeonwebtechnology.com/document.php?id=5450535E0E0B1701140C24171110074A070B09&rnd=9766301 gives 121.jpg
aeonwebtechnology.com/document.php?id=5450535E0E0B1701140C24171110074A070B09&rnd=1803922 gives 4887.jpg
aeonwebtechnology.com/document.php?id=5450535E0E0B1701140C24171110074A070B09&rnd=9442343 gives 5281.jpg

I had to use an Internet Explorer user-agent to get the malware. And the files were win32 portable executables but named as .jpg's. The javscript file would rename then to .exe's and put them in a temp folder.

Downloaded executable : 121.jpg / 121.exe

VirusTotal report 

AhnLab-V3 	Trojan/Win32.XPack
Avira TR/FakeRean.A.54
Bkav HW32.Packed.72E8
ESET-NOD32 Win32/Adware.XPAntiSpyware.AH
Qihoo-360 Malware.QVM19.Gen

Developer metadata
Copyright Copyright EmiSoft Company
Publisher EmiSoft
File version 1.1.0
Description Google Company

Mutex:
qcgce2mrvjq91kk1e7pnbb19m52fx1956jc03il0h

Malwr.com report 

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

HTTP GET: zumo-alibabs.com/E35ByD6je2pz27Ob-IlU4Kcdo26O028=

Downloaded executable : 4887.jpg / 4887.exe ( makes me think zemot -> rerdom )

VirusTotal report 

0 score on VT

Number of PE resources by language
GERMAN AUSTRIAN 13
CHINESE SIMPLIFIED 7

Malwr.com report 

Performs some HTTP requests

HTTP GETs:
46.161.41.115/catalog/54676
46.161.41.115/gertrudathoping/mod_smartslider2/
46.161.41.115/gertrudathoping/mod_maximenuck/

Downloaded executable : 5281.jpg / 5281.exe

VirusTotal report 

AVware 			Trojan.Win32.Kryptik.cpvt (v)
Ad-Aware Trojan.GenericKD.2029888
Avira TR/Abandrot.A.6
BitDefender Trojan.GenericKD.2029888
ESET-NOD32 Win32/Fleercivet.AA
Fortinet W32/AGENT.UQZ!tr
GData Trojan.GenericKD.2029888
Kaspersky Trojan.Win32.Staser.gn
Malwarebytes Trojan.Krypt
McAfee Artemis!876781A487F2
VIPRE Trojan.Win32.Kryptik.cpvt (v)

Authenticode signature block
Publisher LTD VAL
Signature verification Signed file, verified signature
Signers
[+] LTD VAL
[+] COMODO Code Signing CA 2
[+] UTN-USERFirst-Object
[+] USERTrust

Malwr.com report 

Mutex :  _HSJ909NJJNJ90203_

So this one was flagged as Fleervicet by NOD32. Kimberly from StopMalvertising.com once mentioned that Fleervicet was an ad-fraud clickbot. The mutex matches this Microsoft article on Win64/Fleercivet.B.

If this was at least a little helpful, how about a +1, Like, or Tweet?