We have been seeing an ongoing malware campaign claiming to be package delivery emails from places like Walmart, BestBuy, and Costco. The emails say a delivery was missed and contain a link to a form to fill out. The link actually leads to an external compromised site containing a malware zip download. The downloaded zip is similar to the previous WhatsApp and Wedding Invitation campaigns in previous posts in which the downloaded file uses a geolocation script to customize the file name. This time it’s also including a zipcode in the name as well. The exe inside is named the same.
An interesting thing this time around is that it seems the links that lead to the malware are only a one time use link. After clicking the link and downloading a zip, any repeat vists to the linked URL would lead to a 404 page. The full url looks to be a customized link for the recipient and looks similar to a base64 string but does not decode.
This malware and the malware that is downloaded appear to be a part of the Asprox botnet. After running the virus, a short while later it will start blasting out emails. Not just spam though, the sample was sending more of the same malware we have seen coming in as well.
As always, be wary of any unexpected emails wanting you to download anything. It could be easy to spot like a zip with an exe in it or it could be something a little more unavoidable like a drive by malware link.