Wednesday, January 9, 2013

FakeAVLock - FedEx Shipping Issues - Revisited

This is continuation of the FedEx Malware Overnight Posting. I had considered putting this in the same post but there has been some changes in what was being seen. Will update with more as I find it.

** 1/14/2012 Updated with more Initial Landing Points, and new Subject Characteristics. **
The current infection process is the same:

  • Receive a Phishing Email about a Package
  • Download Zip file with Receipt.exe in it
  • Open Malicious EXE and Svchost.exe is injected and calls home
  • Calls home for the 2nd Stage, Multiple IPs until one successfully connects
  • Finishes infection 
  • Machine is unusable. 
Characteristics of the email:
  • Different Sender
  • Different Subject
    • Starts with:
      • Tracking IR
      • Tracking Number
      • Number
    • 1 Letter in ()
    • 2-3 letters following
    • No space between last character and numbers.
      • Subject: FW: Tracking ID (t)hia53 120 120 5339 5339
  • URL for receipt is somewhat unique. 
    • http://druckerpatronen-1x1.de/AEPDVJYDTS.php?receipt=798_15525##### where # random numbers
  • Order Number in Body is different. 




External Link Data: 
Anubis  PostalReceipt.exe
UrlQuery  for the call home site of 184.106.214.159

Malicious IPs:
62.146.51.19
202.169.224.202
88.191.123.128
184.106.214.159
50.57.135.154
66.232.145.174
74.208.111.15
178.77.103.54
66.84.10.68
46.4.178.174
173.255.203.178
85.214.22.38
82.113.204.228
81.93.248.152
88.40.201.187
94.101.86.146
118.97.15.13
You may also see request for the following files: 
lite.dll.crp
sb215.dll.crp

Initial Landing Links for the ZIP file:
The .php?reciept=79 has been seen among all links received.


http://1stline.org/PKMCQPMRIP.php?receipt=796_908103503
http://alfashop.com.br/BBYDVVPDOF.php?receipt=797_1555910781
http://newsletter.canaanland.com.my/KCQIHUFFRB.php?receipt=797_1531499115
http://1stline.org/PKMCQPMRIP.php?receipt=796_908361164
http://theblackproject.net/HRCRUPDQBJ.php?receipt=755_48016707
http://www.fellfab.com/UOBSRUTTHH.php?receipt=796_795924187
http://havadurumu.skiciyiz.biz/ROYQXQPAQX.php?receipt=797_1308676636
http://www.adrenalinamergulho.com.br/UAIBSOOUFA.php?receipt=798_1808639291
http://femmeoui.com.br/TVKYAIAOYT.php?receipt=794_481843431
http://bananajack.com.br/YDMQAOXAAZ.php?receipt=798_1730800210
http://druckerpatronen-1x1.de/AEPDVJYDTS.php?receipt=798_1552553621
http://newsletter.canaanland.com.my/KCQIHUFFRB.php?receipt=796_736326616


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)