Posted on

Here’s an interesting targeted malware attack.

2020 07 07 15 38 38

As an operator of several websites and online stores, I get hit with a multitude of attempted malware attacks on a daily basis. Most of them I can easily identify. This one, however, was quite clever in its execution.

The email appears to come from DHL delivery service. Skipping past the text, there is a blurred scan of a packing slip or invoice. The item is blurred just enough to encourage you to click through (thinking a click-thru would take you to the full-size image). A click however, downloads a compressed PDF/exe with a viral payload.

It downloads the file from here:

https://cdn.discordapp.com/attachments/729500064132628503/729855991226826882/DHL_DOC_Invoicepacking_list_and_BL_PDF.lzh<a href="https://cdn.discordapp.com/attachments/729500064132628503/729855991226826882/DHL_DOC_Invoicepacking_list_and_BL_PDF.lzh"></a>
2020 07 07 15 38 38

I thought the blurred image was especially clever.

I could count the times I’ve had something delivered by DHL on one hand. You would wonder why a hacker would use DHL instead of UPS, Fedex, USPS, etc. Firstly, this blurred image in the email is exactly what you’d expect from a lower cost service like DHL. But Americans rarely use DHL? Why would DHL encourage a click-thru?

In my instance, I just happened to have 3 DHL packages coming from China. The targeting of this attack is oddly appropriate, far more than random chance. DHL is a Chinese company and we all know China has their hand in all Chinese businesses. Or possibly DHL is pwnd and doesn’t know it. Or maybe they scanned my websites and saw items from China and presumed DHL would be used to deliver them. Either way, it seems pretty clear that the attacker knew I was doing business with DHL.

The malware is kryptik (obfuscated). Here’s the exe detail:

2020 07 07 14 48 48