USPS maleware - check your delivery address
I got an email today on my private email account, that looked like it was from USPS (US postal service) in the first place, but obviously it was not :)
The main signs that the mail was not from USPS where the following:
- the displayed sender was "USPS Ground" instead of "firstname.lastname@example.org"
- the senders email address was "email@example.com" instead of "firstname.lastname@example.org"
- the email layout is completely different to the real USPS mails
- USPS is linking to the USPS.com website instead of sending .zip archives as a attachment
I don't know how i came to the honor to receive such an email on a German mail account that has no relation with any USPS activity and is not used much. I'am wondering why i don't got this spam email on my gmail account, because i used this mail address to receive USPS shipping information's.
So what does the first script?
In the Script are five domains defined that only can be accessed with a token that is also defined in the file.
So there is a second Script?
What is in the exe?
Because i have not tried to reverse compile the exe, i can only guess what it does. But i think that it will be a Trojan or virus that will be installed on the PC. As mentioned before, even the MS Defender detects the scripts as a threat, but not the exe file! I scanned the file on Virustotal and only a few (12/61) anti virus programs detected it as an threat! Even malwarebytes, Avast, AVG and MCAffee where not able to find anything.
So be careful and confirm that the email really is from the person/company that you think it is before you open any attachments!
I will try to contact the Domain registration companies and Anti virus program makers. I hope that helps to stop that maleware.
- Send an Email to clever-group.ag, seems to be a hacked server, company website seems legit, contacted
- mabax.ru seems to be also a hacked server, small onlineshop, registrar not contactable because of email rejection
- permiantactical.com is a hacked forum, contacted, received inquiry
- sosnovskiy-tc.ru is a hacked server from a russian shopping mall, contacted
- irislanguageclub.ru is a hacked server of some sort of russian club, contacted, taken offline