Thursday, December 26, 2013

Holiday Delivery Failures lead to Kuluoz malware

As Christmas grew closer and people began to worry about whether their online purchases would reach their destinations in time to be placed beneath the Christmas Tree, online scammers decided to take advantage of this natural fear to install malware on the computers of unsuspecting nervous nellies. One television news program today interviewed a woman who had almost fallen for one of these scams in a story they called Costco Customers Targeted in Phishing Scam. In that story, the shopper, Marianne Bartley, said the email she had received told her a package had not been delivered and that she would receive a refund, but if she didn't fill out an online form, she would be penalized 21% of the purchase price.

The local news station, KOLO 8, contacted CostCo by telephone and received this automated warning:

"If you received an email concerning a delivery failure or cancellation: immediately delete the e-mail and do not reply. This is a phishing scam and was not sent by Costco. Costco is not affiliated with the e-mail in any way."

Here's the email that Marianne and hundreds of thousands of American Christmas shoppers have been receiving since December 19th at approximately 10 AM. The non-stop bombardment of spam continued throughout the day today, December 26th, and will likely continue tomorrow as well:

But it wasn't just CostCo. In fact, Walmart and BestBuy were also used in this spam campaign with emails that looked like these:

Each day the Malcovery Spam Data Mine processes more than a million spam email messages searching for dangerous threats like these and our analysts evaluate the threats and provide intelligence to customers to help them protect themselves. In this case, Malcovery has seen more than 3,000 copies of these "Delivery" emails, which come with one of several prominent Subject lines:

  • Express Delivery Failure
  • Standard Delivery Failure
  • Scheduled Home Delivery Problem
  • Delivery Canceling
  • Special Order Delivery Problem
  • Expedited Delivery Problem
  • Expedited Delivery Problem

The spam messages are being sent out by the ASProx spam-sending botnet. Although the emails can come from any username and any domain, the "Sender Name" (the human-friendly portion of the "From" address) has been consistent as one of these:

  • Best Buy
  • Best Buy Shipping Agent
  • Costco
  • Costco Shipping Agent
  • Costco Shipping Manager
  • Walmart
  • Walmart Delivery
  • Walmart Delivery Agent

What would happen if someone clicked on one of these emails? The actual destination would depend on which date and which email type they clicked on, but we have collected a fairly extensive list of destination websites. A full list of the 636 compromised websites that we have seen so far in this campaign is listed at the very end of this article. Just in the past four hours we've seen spam samples that went to each of these websites:                                                                                                                                                                            
Each of those websites has been broken into by a criminal's hacking program which has created many subdirectories on the server, each starting with either "/media/" or "/messages/" followed by a long random-looking string, followed by a "Form Name". Here a couple recent examples:

/media/J4oHEmjaJvBvrdXTz3KJ5i7G46NP5/dGAYZ5aN4O qs=/CostcoForm
/media/fs1vp YmmEnb7Z6ftU5jKPU7X9Gc3DsasqKZPCIooRc=/WalmartForm
/media/9mz6i EkIDix5uVIAMa4AuEYNuNf18/32d3lFXUnyIQ=/CostcoForm
The "message" path (and the two BestBuy Forms) were more common earlier in the campaign. In fact, on the 19th, we ONLY saw BestBuy samples of the spam:

/message/zZFXQdfn98Ze1SQS7s6a9/yldS qZDpeIXu2C4RRif8=/BbForm

What happens first is that the website prompts the visitor to save or open the file "" (or whichever form they have visited.)

If they choose "Open" it will show them that there is a form to be extracted within the .zip file.

If extracted or moved to the Desktop, the form will display a comforting Microsoft Word logo, despite the ".exe" extension

If the visitor tries to open the WalMartForm.exe program, they will get an error message, which is actually a file called WalmartForm.txt opening in Notepad:

If we check memory though, the program "WalMartForm.exe" has spawned an instance of "svchost.exe" which has some very interesting strings, including:

That IP is believed to be the Command & Control (C&C) server to which my infected computer instance is talking.

Other interesting strings include a "knock" tag:

       (debug)5.1 x32  none  none(/debug)(/knock)
The location of some additional malware dropped from the server:

C:\Documents and Settings\Owner\Local Settings\Application Data\kinwmeiq.exe

And a tag that SEEMS to show the username of the malware author, though I'll not include that here . . .

Note that even though this malware distribution campaign has been running for at least seven days, many major anti-virus products are still unable to detect the malware as being malicious. A VirusTotal report showed that only 20 of 48 anti-virus products currently detect the malware that I received when visiting the most recent website seen in spam. Neither of the two locally installed AV products on my machine detect the malware, and the URL I attempted to visit was not marked as dangerous by any of the systems I have installed. VirusTotal Report here.

Hacked websites used to Deliver Delivery malware

Update -- the following destination domains seen on December 27th & December 28th.

(147 rows)