Fake delivery emails lead to malware

January 07, 2014 | by Jonathan French | Asprox, best buy, botnet, costco, Digital Degenerate, infection, malware, walmart

We have been seeing an ongoing malware campaign claiming to be package delivery emails from places like Walmart, BestBuy, and Costco. The emails say a delivery was missed and contain a link to a form to fill out. The link actually leads to an external compromised site containing a malware zip download. The downloaded zip is similar to the previous WhatsApp and Wedding Invitation campaigns in previous posts in which the downloaded file uses a geolocation script to customize the file name. This time it’s also including a zipcode in the name as well. The exe inside is named the same.

zipnamecostco456 resized 600

costcoform3465567 resized 600
bbuyform2453 resized 600
walmartform3434 resized 600

An interesting thing this time around is that it seems the links that lead to the malware are only a one time use link. After clicking the link and downloading a zip, any repeat vists to the linked URL would lead to a 404 page. The full url looks to be a customized link for the recipient and looks similar to a base64 string but does not decode.

 

costcoform2 resized 600

 

This malware and the malware that is downloaded appear to be a part of the Asprox botnet. After running the virus, a short while later it will start blasting out emails. Not just spam though, the sample was sending more of the same malware we have seen coming in as well.

othermalware resized 600

As always, be wary of any unexpected emails wanting you to download anything. It could be easy to spot like a zip with an exe in it or it could be something a little more unavoidable like a drive by malware link.