Friday, October 16, 2009

DHL Scam E-mail with Bredolab Trojan Attachment

Malicious e-mails are circulating that claim to be from DHL (an international shipping company) and use social engineering to trick users into opening an attachment.

This is very similar to another fake DHL e-mail scheme from back in March 2009 (see, for example, this post from Sophos' Graham Cluley).  Additionally, DHL (the real one) warned about a fraudulent e-mail campaign just last month that apparently distributed the same malware again.  This time around, however, it's a different Trojan altogether.

Here's a sample e-mail:
From: Manager Daphne Rubin {services @} [forged From address]
Subject: DHL customer service. Get your parcel Nr.45269
Date: October 16, 2009


The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please note!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

Here's another sample, with the manager's name as "Charity Woot" and a different random string in the attachment's filename.

The .zip archive contains a malicious .exe program.  At present, the malware is only detected by 16 out of 41 major antivirus engines, with detection in the works from at least one additional vendor.  Most of the following information is courtesy of VirusTotal:
File name: DHL_print_label_*.exe [* = random 5-digit alphanumeric string]
File size: 23552 bytes
MD5...: 8960322225b6a842bad87a285f028f5f
SHA1..: e8998eaf92a6e993018fe41079cf3b946c37193a
SHA256: 95c8f95a70e82ed808854d2818b3f8d126dc2e6acb98a2c158dec2f7f5aec27a

16/41 detection rate as of 2009.10.17 00:20:21 (UTC)

Variously identified as: a variant of Win32/Kryptik.AVH, Artemis!8960322225B6, Backdoor.Win32.Bredolab.akk, Mal/EncPk-KY, Medium Risk Malware, TR/Crypt.ZPACK.Gen, Trj/Sinowal.WOP, Trojan.Bredolab-318, Trojan.Crypt.ZPACK.Gen, Trojan.FakeAV!gen3, Trojan.Win32.Bredolab, TrojanDownloader:Win32/Bredolab.X, W32/Bredolab!Generic, W32/Obfuscated.D2!genr, X.W32.kryptik.bredo, Bredolab.gen.d, etc.
ThreatExpert behavioral analysis:

Anubis behavioral analysis:

See the Web of Trust (WOT) and MalwareURL reports for mmsfoundsystem .ru, a domain to which this malware phones home, and a related domain:

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.