A professional malware email

[TheMalwareMaster]

Hello just wanted to share with you this professional malware email I received last week. As you can see, it is a fake email from DHL. The sender has added a fake phone number, email and the working time of their employees to be more credible . It has only two small accent errors which won't be noticed if the email is read fast. The sender is also asking the reader to "reply" in 48 hours, probably to make the user open the attachment fast and get infected. I will translate the email for you, so you will be able to better understand

Spoiler: Translation

Dear customer,
you will find attached an important communication addressed to you, of which we will be looking forward not later than 48 hours. For privacy reasons, you should download the attached document.
Kind regards,
DHL Italy

 

[jamescv7]

Typical thinking, if you are not engage on such transaction then steer away, no matter how professionsl looking it may be when came to unonown source.

 

[LabZero]

Yeah good Italian, it just missing the accent on the "a", but what kind of malware it dropped?

 

[TheMalwareMaster]

It was a js file, this was the virus total detection when I first uploaded it. Avira was also flagging the archive which contained it (HEUR detection, and probably had a cloud signature for the js file). I submitted the file to Bitdefender, Avira, Microsoft and Symantec. It appears that Microsoft and Bitdefender didn't add and signature (checked today). I decided to re-SUD the sample https://www.virustotal.com/it/file/...f9af96482ffb86f3804e53e5/analysis/1474103184/
Here Is a malware analysis for the file https://www.hybrid-analysis.com/sam...a47f9af96482ffb86f3804e53e5?environmentId=100

 

[TheMalwareMaster]

Here Is the Most recent virus total report https://www.virustotal.com/en/file/...1f829d3ca47f9af96482ffb86f3804e53e5/analysis/

 

[LabZero]

Here Is the Most recent virus total report https://www.virustotal.com/en/file/...1f829d3ca47f9af96482ffb86f3804e53e5/analysis/

Thanks, it seems that the payload is Zepto/Locky ransomware.

 

[TheMalwareMaster]

I still can't understand why both Microsoft and Bitdefender didn't add a signature. I submitted this last week! The file failed to execute in my VM (probably has anti-VM code)

 

[LabZero]

I still can't understand why both Microsoft and Bitdefender didn't add a signature. I submitted this last week! The file failed to execute in my VM (probably has anti-VM code)

Yeah, but .js is only a downloader, and it may not be immediately flagged. Generally, different speech for the payload.

 

[Atlas147]

I still can't understand why both Microsoft and Bitdefender didn't add a signature. I submitted this last week! The file failed to execute in my VM (probably has anti-VM code)

Awesome break down @TheMalwareMaster , I find that Avast doesn't take my samples either, submitted confirmed malware to them a bunch of times and they rarely ever get added to the signatures