USPS maleware - Two new fake mails arrived

As described in my last post, I got a fake USPS (US Postal Service) mail on my private email account.

I got two new fake Mails that are different looking and use other domains last Friday and also today.

USPSfakemail2 USPSfakemail3

I again used a Linux box to handle the zip that includes the in my last Post mentioned javascript that downloads and executed's an exe file.

The Scripts that are used are almost the same as before. They made them a little bit more confusing and changed some variables but that's it. After debugging the Scripts as before, I got the following domains that are used to distribute the second stage Script and the .exe file. All Domains that i listed are working and spreading maleware right now!

Domains of the Second stage:

Fake mail 2

  • 3kontur.ru
  • 4dlaser.ru/administrator
  • mydarts.ru/libraries

Fake mail 3

  • stlki.org
  • averchenkova.ru
  • begatrading.com

For my surprise: The .exe file that contains the virus itself is now distributet from only one set of domains, that are different from the ones used fpr stage two. Here they are:

  • anest-group.ru
  • evro.ch
  • fp.amusal.es
  • applecitycareer.com
  • kyokushin.li

All of these domains host two different .exe files, that are named exe1.exe and exe2.exe. I scanned both of them on Virustotal and only one of them is recognized by 21/61 Antivirus programms. The other one is only seen by 5/60 scanners.

Virustotal scan of exe1.exe
Virustotal scan of exe2.exe

I will begin to write emails to the owner to the site and the registar of the domain. I will update this post as before with the status of my take down request.

UPDATE

  • 3kontur.ru - takedown Email send, waiting for response.
  • 4dlaser.ru - takedown Email send, response from provider, customer informed but still UP!
  • myarts.ru - takedown Email send, response from provider, link down
  • stlki.org - takedown Email send, waiting for response.
  • averchenkova.ru - takedown Email send, waiting for response.
  • begatrading.com - takedown Email send, incident opened ,waiting for response.
  • anest-group.ru - takedown Email send, response from provider, link down and customer informed
  • evro.ch - takedown Email send, waiting for response.
  • fp.amusal.es - takedown Email send, waiting for response.
  • applecitycareer.com - takedown Email send, incident opened ,waiting for response.
  • kyokushin.li - contacted over form, waiting for response.
{{ message }}

{{ 'Comments are closed.' | trans }}

Blog posts

Werbung

Zeroshell - Router software

Zeroshell banner