14 DAY TRIAL // UPS-themed spam emails designed to distribute malware are not uncommon. In fact, they’re probably among the most common types of spam campaigns. However, experts have spotted one that’s worth looking into.
The malicious emails are entitled something like “UPS Delivery Notification Tracking Number :[random number]” and they read the following: “Package delivery confirmation invoice XCBMXDI508XCBMXDI866. Thank you, United Parcel Service.”
According to Panda Security technician and malware researcher Bart Blaze, there are two malware delivery mechanisms in this email: a link and an attached file.
Recipients end up with the same malicious file, regardless of whether they click on the link or download the attachment.
At first sight, the file appears to be a harmless Microsoft Office document. However, in reality, it’s a maliciously crafted .rtf file that’s designed to exploit a couple of vulnerabilities in Microsoft Office (CVE-2012-0158 and CVE-2010-3333).
When the file is executed, Word crashes. In the meantime, some processes are created and another component is dropped onto the infected system. The threat creates registry entries and injects itself into the explorer.exe process in order to stay persistent.
Once it infects a device, the malware contacts various domains: customer.invoice-appmy.com customers.invoice-appmy.org customer.appmys-ups.orgfeed404.dnsquerys.org feed.queryzdnsz.org feeds.nsupdatedns.com feed404.dnsquerys.com static.invoice-appmy.com
These domain names might fool system administrators into thinking that the traffic generated by the malware is for DNS queries.
“The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan,” Blaze noted regarding the payload.
For additional technical details on this campaign, and advice on how to protect yourself against such threats, check out Bart Blaze’s blog.