Skip to content ↓ | Skip to navigation ↓

An evolving malspam campaign changed its tactics and increased its complexity on three separate occasions over the span of four days.

Researchers first spotted the malicious spam campaign on 11 April. At that time, its attack emails each had a different sender, subject line, message, and link. But all of them used the United States Postal Service (USPS) as a theme and claimed there was a problem delivering a package to the recipient.

An example of the malspam. (Source: SANS ISC)

The email links, which were all subdomains of ideliverys[dot]com, each led to a 404.html page that redirected to fake portal pages for Microsoft Office. These sites contained Google Doc URLs masquerading as Office plugins. But instead of loading up a plugin, the links downloaded Mole, a ransomware family which uses AES-256 to encrypt a victim’s files.

Mole’s ransom note. (Source: Bleeping Computer)

Two days later, researchers spotted an updated version of the malspam campaign. Its attack emails still used ideliverys[dot]com subdomain links to redirect users to fake Office portals. But unlike its first variant, the campaign’s new version traded Google Docs URLs for a zip archive containing JavaScript files. Anyone who unzipped the archive exposed themselves to Nemucod in the form of “plugin.js.” This downloader, in turn, infected each hapless user with Mole ransomware as well as Kovter and Miuref.

Yet another change arrived the next day on 14 April. At that point, the attack emails abandoned the redirection URLs altogether and linked directly to the fake Word portals.

Here’s an illustration of how the campaign changed between 11 April and 14 April.

The evolution of the malspam campaign. (Source: Palo Alto Networks)

It’s unusual to see a campaign make so many changes over a short period of time. No doubt these modifications help it to evade detection. That explains why attackers are still altering their operation as of this writing.

As security researcher Brad Duncan explains in a blog post for Palo Alto Networks:

“… [T]his campaign continues to evolve. By Tuesday April 18, 2017, it stopped distributing Mole ransomware, and it began pushing the KINS banking Trojan with Kovter and Miuref. By Friday April 21, 2017, this campaign moved from USPS-themed emails to messages about speeding tickets, and it began utilizing a fake parking services website.”

To protect themselves against this dynamic campaign, users should exercise caution around suspicious links and email attachments. They should also download an anti-virus solution onto their computers and follow these tips to help prevent a ransomware infection.