An evolving malspam campaign changed its tactics and increased its complexity on three separate occasions over the span of four days.
Researchers first spotted the malicious spam campaign on 11 April. At that time, its attack emails each had a different sender, subject line, message, and link. But all of them used the United States Postal Service (USPS) as a theme and claimed there was a problem delivering a package to the recipient.
The email links, which were all subdomains of ideliverys[dot]com, each led to a 404.html page that redirected to fake portal pages for Microsoft Office. These sites contained Google Doc URLs masquerading as Office plugins. But instead of loading up a plugin, the links downloaded Mole, a ransomware family which uses AES-256 to encrypt a victim’s files.
Yet another change arrived the next day on 14 April. At that point, the attack emails abandoned the redirection URLs altogether and linked directly to the fake Word portals.
Here’s an illustration of how the campaign changed between 11 April and 14 April.
It’s unusual to see a campaign make so many changes over a short period of time. No doubt these modifications help it to evade detection. That explains why attackers are still altering their operation as of this writing.
As security researcher Brad Duncan explains in a blog post for Palo Alto Networks:
“… [T]his campaign continues to evolve. By Tuesday April 18, 2017, it stopped distributing Mole ransomware, and it began pushing the KINS banking Trojan with Kovter and Miuref. By Friday April 21, 2017, this campaign moved from USPS-themed emails to messages about speeding tickets, and it began utilizing a fake parking services website.”
To protect themselves against this dynamic campaign, users should exercise caution around suspicious links and email attachments. They should also download an anti-virus solution onto their computers and follow these tips to help prevent a ransomware infection.