Security Alert: This Cryptolocker Package is Not the One You Were Waiting for
Massive spam campaign impersonating Post Nord sweeps over Scandinavia
The devil is in the details, as they say.
Over the past 3 days, the Heimdal Security team has analyzed a new wave of spam emails that use PostNord as bait. This restarts the wave of attacks that we spotted in September, October and November, which employed similar tactics.
The insidious goal is to trick random recipients into clicking a link in an email that appears to come from PostNord. And who wouldn’t be curious to find out more details about a package they received around Christmas? It could very well be a present, as the victims probably thought as well.
Once clicked, the link redirects the user to several compromised web pages. We’ve already blocked over 100 domains related to these new campaigns which infect victims’ PCs with Cryptolocker2.
Although the malware family is not new, antivirus detection is, unfortunately, very low, because of the techniques that the malware strain uses to remain covert.
What’s in the malicious email?
The spam emails arrive with the following contents, which reminded us of the previous campaigns we analyzed. But this time the attackers got better, because the language and phrasing are now more refined and seemingly authentic.
From: [spoofed / fake return address]
Subject Line:[% name of the receiver%] Paketet interest has levererats (for campaigns targeting Norway)
[% name of the receiver%] PostNord – Shipping Notice (for campaigns targeting Denmark)
shipping Anmalan Forsandelse [code] (for campaigns targeting Sweden)
The spam email uses a link that utilizes a dynamically generated folder on the compromised server to provide the content. This means that the attackers can customize the message according the specific countries they target, so they can persuade the user to click the malicious link.
The contents of the folder look something along the lines of:
Upon dissecting the payload, we say that it’s delivered as a zip file that can be delivered only once. As retaliation, cyber criminals have blocked several IP addresses that Heimdal uses in order to hinder our analysis. However, we managed to see that the payload that delivers the Cryptolocker2 infection is delivered only to IP addresses in Scandinavia.
Here is a small selection of the domains that have been compromised and are currently used in these spam campaigns:
Romashka-plus [.] ru
gold comfort [.] ru
solid parquet [.] ru
The infection is triggered by a file located in the zip we mentioned earlier, called “info_ [5 random numbers] .zip”. The binary code is camouflaged as a PDF document which is downloaded from:
downloader.disk.yandex [.] com
This binary code is slightly modified from the previous campaigns we looked at and it carries increasingly more similarities with Teslacrypt.
The result is always the same: Cryptolocker2 will encrypt all the data on your PC, on PCs connected to your computer in the network and on cloud apps you have synced on your PC. Moreover, it will also harvest email addresses from the infected PCs and send the data to a central C & C server, so they can be used in later spam campaigns.
If you’re a company, a good way to protect your machines from these attacks is to block the words that appear in the content of these spam emails in the email gateway. There are several words combinations used in the content which are unlikely to be sent to Danish companies with legitimate, honest purposes.
If you’re a home user, the best way you can protect yourself is to read this guide and follow the steps.
And if you want to go the extra mile, you can read on how malware creators use spam to maximize their impact.