By Dancho Danchev
Over the past couple of days, cybercriminals have launched two consecutive malware campaigns impersonating DHL in an attempt to trick users into thinking that they’ve received a parcel delivery notification. The first campaign comes with a malicious attachment, whereas in the second, the actual malicious archive is located on a compromised domain.
Sample screenshot of the the first spamvertised template:
Sample screenshot of the second spamvertised template:
Detection rate for the malicious executable:
MD5: 85f908a5bd0ada2d72d138e038aecc7d – detected by 12 out of 45 antivirus scanners as Backdoor.Win32.Androm.pta.
Once executed, it phones back to hxxp://seantit.ru/new/gate.php (184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199) and also downloads hxxp://seantit.ru/ya.exe (188.8.131.52) MD5: be52e7e38b9b467c51972cc841e7e487 – detected by 23 out of 46 antivirus scanners as Trojan:Win32/FakeSysdef.
Responding to the same IP are also the following domains part of the campaign’s infrastructure:
seantit.ru (Name server: ns1.secrettappes.com – 184.108.40.206 – Email: firstname.lastname@example.org; Name server: ns1.insectiore.net – 220.127.116.11 – Email: email@example.com) is also known to have responded to the following IPs:
Webroot SecureAnywhere users are proactively protected from this threat.