Malspam is a classic hacking technique that still proves successful, especially when the emails in question are made to look quite legitimate. The goal with malspam is to get, as the name infers, malware to infect a machine via spam email. Such is the case with a current malspam campaign that has been monitored by security professionals since late June. According to Brad Duncan, a researcher at SANS Institute, the malspam in question is posing as email from the United Parcel Service and contains a .zip folder with both NemucodAES ransomware and Kovter malware.
The second of the .zip download is an older malware called Kovter. It was known initially as a ransomware, but eventually was formatted to be a “click-fraud” malware. Basically this creates a situation in which a malicious script generates clicks for numerous websites (which are also malicious) for obvious monetary reasons. During the infection, a hacker can infiltrate and gain control of your machine. Even if the machine becomes decrypted and the ransomware is removed, you still have to deal with the reality that your computer has been used as a hub for click-fraud or worse. The amount of malicious traffic that will have flooded your machine by this point is significant.
Victims are baited to download the .zip file containing NemucodAES and Kovter as the email (shown below) claims the attachment is related to an undelivered package from UPS.
In actuality, the .zip file contains the following malicious code:
The victim is then met with the following message:
The strategy for preventing an infection from this malspam is two-fold. Firstly, Duncan states that “with proper network monitoring, traffic from an infection is easily detected. But some of these messages might slip past your filtering, and some people could possibly get infected.” As such, one must educate themselves on the nature of malspam and how not to fall for download requests. If these two countermeasures are deployed, there is a chance that, as this campaign evolves, you can keep yourself and your network safe.
Photo credit: SANS Institute
1 thought on “Fake UPS malspam delivers two malicious packages”
I believe the same malspam is being used under the disguise of Walgreens and Amazon: e.g. of Amazon is below. Obtained via headers.
Deleted Walgreens but reported to Home Land Security.
Thank you for your recent order on Amazon.com
You’rr invited to review your product and redeem your new $50-voucher.
Your feedback helps customers pick the right products on Amazon.com
It’s an easy process! You are just one click away to activate your $50 voucher.
REVIEW AND PRINT REWARD
(Editor’s note: URLs were removed from example message)