USPS Fake E-mail

This is a good one – came in this morning…no text at all, just an image in an email:

When the hell is the 27th of Juny? And the entire image is a link to www.annehelene.fr/XXXXXXXXXX.htm – the Xs are likely changed for every email, etc. If you mistype the link or go to the root of the site you get this – a seemingly legit French cooking site:

But if you go to the actual link from the email, you get a nice zip file to download…with a “USPSLabel PDF attachment” – the joke is that Acrobat is not even installed on this system:

Being the good user that I am, I launch the ‘USPSLabel PDF File’…first there’s a service host started – and if you notice it was started as a child of explorer…sign number 1:

Then I also noted an autostart for some random executable that was dropped:

Then the fun starts- more children processes!! YAY!!

 

It should be noted that the service host process has a connection open to an address that resolves to the Netherlands:

Then the usual fun begins – oh no! I’m infected!!!!

 

Nice! Live Security Platinum!!! Interestingly, taskkill won’t kill either of the processes…but ProcExp (and even good old TaskManager) can kill the processes.

 

Long story short: Never click any links in your email…and if you do, DO NOT DOWNLOAD ANYTHING EVER!!!!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.