By Dancho Danchev
Remember the “Spamvertised ‘DHL Package delivery report’ emails serving malware” campaign profiled earlier this month?
It seems that another cybercrime gang has started impersonating DHL in an attempt to serve malware to the millions of spamvertised end and corporate users.
Screenshot of the currently spamvertised email:
Just like the previous campaign impersonating DHL, this one is also relying on attached .zip file containing the actual malware.
DHL-Details.exe – MD5: 89bec26d1f7d711eda39437612568319 detected by 33 out of 42 antivirus scanners as Trojan-Spy.Win32.Zbot.dzrx; Trojan.Zbot
Upon execution the sample creates the following files on the infected host:
%AppData%\Ceydal\ysluiv.tmp – MD5: D6965F59B8D78DC0B8CB747F0F2878E3
%AppData%\Ceydal\ysluiv.zia – MD5: 9F17BD86F8A772DC0B6A3CF0CCDCE2FC
%AppData%\Obbios\etamys.exe – MD5: 66F2DD0D1366A95EBD120558AC3F5585
%Temp%\tmpefdf2dea.bat – MD5: 489504C649766ECC691C4EEB3F86910C
It also phones back to the following URL located in Russia - 22.214.171.124/heinz/varieties/opt.php – AS35415, MCHOST-NET, Russian Federation
Webroot Secure Anywhere users are proactively protected from this threat.