USPS maleware - check your delivery address

I got an email today on my private email account, that looked like it was from USPS (US postal service) in the first place, but obviously it was not :)

Usps spam mail

The main signs that the mail was not from USPS where the following:

  • the displayed sender was "USPS Ground" instead of "auto-reply@usps.com"
  • the senders email address was "aboqaxur62408021@site-ations.co.uk" instead of "auto-reply@usps.com"
  • the email layout is completely different to the real USPS mails
  • USPS is linking to the USPS.com website instead of sending .zip archives as a attachment

I don't know how i came to the honor to receive such an email on a German mail account that has no relation with any USPS activity and is not used much. I'am wondering why i don't got this spam email on my gmail account, because i used this mail address to receive USPS shipping information's.

As an i specialist i was very curious about what was in the Delivery-Details.zip archive, so i loaded it onto a linux vm and unzipped it. In the .zip was only one file named "Delivery-Details.js", because it was obviously a JavaScript file i opened it up in nano. After i saw that it was not compressed at all i began debugging the code to find out what it does. One problem that i had, was that the Microsoft Defender blocked the script to be opened even with the editor or a code editor. My only option was to copy it out of the ssh console of my linux box. The Code was also written very confusing, but that has not stopped me ;)

So what does the first script?

In the Script are five domains defined that only can be accessed with a token that is also defined in the file.

  • www.clever-group.ag
  • mabax.ru/administrator
  • permiantactical.com
  • sosnovskiy-tc.ru
  • irislanguageclub.ru

In the beginning the script tries to connect to one of the domains. If it got a connection, it will download a HTML file that is compressed (one line) and is made almost unreadable because it is speckled with the token. The script then removes the token from the whole HTML file, so it is usable again. But even at this point, the code has over 100 lines that are quite confusing at first sight, but the main result is a variable that contains JavaScript code.

So there is a second Script?

Yes, the first script only get's another JavaScript that get's executed. This script is also compressed, but not written to confuse anyone, so it's quite easy to find out what it does. Infect it tries to connect to the same five domains, but now downloads a .exe file to the temp folder of the system. When it got the exe that is named "exe1.exe" most of the time, it will also execute it.

What is in the exe?

Because i have not tried to reverse compile the exe, i can only guess what it does. But i think that it will be a Trojan or virus that will be installed on the PC. As mentioned before, even the MS Defender detects the scripts as a threat, but not the exe file! I scanned the file on Virustotal and only a few (12/61) anti virus programs detected it as an threat! Even malwarebytes, Avast, AVG and MCAffee where not able to find anything.

So be careful and confirm that the email really is from the person/company that you think it is before you open any attachments!

What's next?

I will try to contact the Domain registration companies and Anti virus program makers. I hope that helps to stop that maleware.

UPDATE

  • Send an Email to clever-group.ag, seems to be a hacked server, company website seems legit, contacted
  • mabax.ru seems to be also a hacked server, small onlineshop, registrar not contactable because of email rejection
  • permiantactical.com is a hacked forum, contacted, received inquiry
  • sosnovskiy-tc.ru is a hacked server from a russian shopping mall, contacted
  • irislanguageclub.ru is a hacked server of some sort of russian club, contacted, taken offline
{{ message }}

{{ 'Comments are closed.' | trans }}

Blog posts

Werbung

Zeroshell - Router software

Zeroshell banner