Locky Distribution Network Now Distributing Cerber And Kovter Via Spoofed Cannot Deliver Your Parcel Malspam

Over the last couple of days, we are noticing that the 2 different malspammed version of spoofed / faked UPS, USPS, FedEx failed to deliver your parcel malspam are now distributing Cerber ransomware instead of Locky or Sage 2 along with Kovter.

How long this will go on for is unknown. The malware gangs do change from time to time. We normally see Locky as a consistent ransomware, so it is quite unusual for no new versions to be seen.

I am continuing to document the 2 versions and the never ending changes and different sites used to distribute them: HERE and HERE

Lets just detail a few  differences between the 2 malspammed versions

The subjects all mention something about failing to deliver parcels and includes:

  • Courier was not able to deliver your parcel (ID0000333437, FedEx)
  • Our UPS courier can not contact you (parcel #4633881)
  • USPS issue #06914074: unable to delivery parcel
  • Parcel #006514814 shipment problem, please review
  • USPS parcel #3150281 delivery problem
  • Courier was not able to deliver your parcel (ID006976677, USPS)
  • Parcel 05836911 delivery notification, USPS
  • New status of your UPS delivery (code: 6622630)
  • Please recheck your delivery address (UPS parcel 004360910)
  • Status of your USPS delivery ID: 158347377
  • FedEx Parcel: 1st Attempt Unsuccessful
  • Delivery Unsuccessful, Reason: No Answer
  • Express FedEx Parcel #614617064, Current Status: Delivery Failed

 

Both sets of emails are basically identical in the body of the email ( the delivery service changes and switches between FedEx, UPS, USPS ) and look something like.

Dear Customer,

Your item has arrived at March 01, but our courier was not able to deliver the parcel.

Postal label is enclosed to this e-mail. Please check the attachment!

Many thanks,

Danny Mccarty,

UPS Parcels Delivery Clerk.

Or:

Hello,

Your item has arrived at Fri, 03 Mar 2017 07:05:37 -0800, but our courier

was not able to deliver the parcel.

Postal label is enclosed to this e-mail. Please check the attachment!

Kind regards.

Melita Philo – USPS Senior Delivery Manager.

or:

Hello,

This e-mail is the confirmation of our 1st delivery try. Up-to-date Status:

Unsuccessful.

In the file you can check the important details about your shipment.

Thank you.

Ryan Mcalvain – FedEx Delivery Services

The first version that was distributing Locky and Kovter, but now is Cerber and Kovter comes from random senders with NO UPS,USPS or FedEx in the from: address. The attachment is a zip file with a second zip inside it that extracts to a .js file. These have names like UPS-Parcel-ID-4633881.zip that extracts to UPS-Parcel-ID-4633881.doc.zip that extracts to UPS-Parcel-ID-4633881.doc.js

The javascript files inside these are minimally  obfuscated and simple to manually examine. They have an array of 5 sites hard coded into the .js file which instructs the file to contact one of the sites, and download another txt file. This text file is heavily obfuscated ( but quite easily decoded) this txt file contains another array of 5 sites, where the first site is tried, then move on to each in turn. The txt file contains some of the same sites as the email based js file, with 1 or 2 changes. All the sites in this version are compromised / hacked sites, so change very frequently.

The js file contacts the sites using a format along the lines of < site from array >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file.

The txt file that does the actual downloading uses < site from array >/counter/?1  ( then ?2) 1 was delivering Locky ( now Cerber). 2 delivers Kovter.

They look like:

The txt file looks like:

which when deobfuscated / decoded gives

Examples of this version VirusTotal [1] [2] [3] Payload Security [1] [2] [3]

The second version has an email that looks the same as the first version, but is spoofed to pretend to appear from such senders as USPS Station Management,  USPS Delivery, USPS Ground  or  FedEx TechConnect, FedEx Freight Shipments, FedEx International Delivery  and similar variations and might have a random email address beside the name. Some versions completely spoof the sender and look like FedEx International Delivery <service@fedex.com>

The malware in this version has switched at random between Locky and Sage2 ransomware versions. Over the last couple of days, it also has changed and now is delivering Cerber and Kovter

This version has a static named zip attachment that is always Delivery-Details.zip which extracts to Delivery-Details.js. But to confuse the issue slightly there are several version of these. Some have a straightforward single js file inside the zip, so the zip will be between ~800bytes to about  4kb in size. Some however will be around 80KB in size and although only containing a single 1kb JavaScript file, will have up to 10 empty txt files all padded with blank content to make the zip larger ( trying to bypass spam filters looking for tiny zip files, which tend to be an indication of malware)

The javascript file looks very similar to version 1 but generally has 4 or 5 hardcoded sites all from the .top domain. For a while we saw 2 or 3 different sites in the array, but the last 2 days we have seen an array of 5 identical sites hardcoded. Each email received has a different .top site hard coded in the array This uses the same format to contact the .top site and examine a txt file which gives the download location

The previous delivery format was <site name.top>/11.exe or <site name.top>/counter/11.exe

Currently the format is < site from array.top >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file. and the actual download comes from site name.top /counter/exe1.exe  Yesterday was  Cerber.  VirusTotal [1] [2]  Payload Security   and  /counter/exe2.exe delivers Kovter   (VirusTotal) Currently at the time of writing all the .top sites I have listed are down and not responding. As soon as the new set of emails arrive, I will post images of them with any changes.