I received an email from DHL saying that a parcel was sent to my home address and it includes an attachment which a malicious executable. If you also receive this email, please delete the email immediately or report to your Security Vendor. Below is the example of the Spam mail:
Figure A. The Mail
This kind of attack becomes popular these past year where the email address used to be the legitimate domain like example from Figure A, it uses infofuiwzuo@dhl.com which the user may believe that is actually from a DHL specially if the user who receives this email attack really waiting for a parcel from DHL.
Based on the message of the email, the attached file is a document. The truth is, it is an executable file that uses a PDF icon as shown in Figure B to fake the user that it is really a document. This is effective when the file extension is hidden. One problem is that hidden file extension is the default settings of Windows. So most users that uses this default settings has a high chance to be vulnerable in this Social Engineering attack.
Figure B. The Icon
File Information:
Filename: DHL_notification.exe
File size: 35,328 bytes
MD5: 64901CFDFB576D7C7C1D4F1F240315E2
SHA-1: B6C5A7D097CDCC9B71B010C7CFCEDDE6D0616E3F
File behavior:
Upon Execution it drops a copy of itself as the below filename:
%Application Data%\Adobe\AdobeUtil.exe
It attempts to create the below folders if does not exist:
%Application Data%\Adobe
%Application Data%\Adobe\plugs
%Application Data%\Adobe\shed
It also attempts to drop the below files:
%Application Data%\Adobe\AdobeUtil .exe
%Application Data%\Adobe\adb.cer
It attempts to create a shortcut of the copy of itself to Windows startup folder which serves as its Automatic execution technique:
%Startup Folder%\AdbUpd.lnk
Note: %Startup Folder% is usually %User's Folder%\Start Menu\Programs\Startup
It tries to download and execute the files from the below URLs:
http://62.122.73.203/548.exe - ThreatExpert File Analysis
http://d34ghqarfrgad.com/ftp/ftpplug2.dll
http://d34ghqarfrgad.com/lol.exe
http://erherg34gsafwe.com/ftp/base.bin
No comments:
Post a Comment