Wednesday, January 9, 2013

FakeAVLock - FedEx Shipping Issues - Revisited

This is continuation of the FedEx Malware Overnight Posting. I had considered putting this in the same post but there has been some changes in what was being seen. Will update with more as I find it.

** 1/14/2012 Updated with more Initial Landing Points, and new Subject Characteristics. **
The current infection process is the same:

  • Receive a Phishing Email about a Package
  • Download Zip file with Receipt.exe in it
  • Open Malicious EXE and Svchost.exe is injected and calls home
  • Calls home for the 2nd Stage, Multiple IPs until one successfully connects
  • Finishes infection 
  • Machine is unusable. 
Characteristics of the email:
  • Different Sender
  • Different Subject
    • Starts with:
      • Tracking IR
      • Tracking Number
      • Number
    • 1 Letter in ()
    • 2-3 letters following
    • No space between last character and numbers.
      • Subject: FW: Tracking ID (t)hia53 120 120 5339 5339
  • URL for receipt is somewhat unique. 
    • where # random numbers
  • Order Number in Body is different. 

External Link Data: 
Anubis  PostalReceipt.exe
UrlQuery  for the call home site of

Malicious IPs:
You may also see request for the following files: 

Initial Landing Links for the ZIP file:
The .php?reciept=79 has been seen among all links received.