DHL e-mail campaign downloading ZeuS and Feodo

This past month a new DHL campaign has been spreading malware in a zip file. The executable in the zip was identified (with a high detection rate) as Oficla by the Antivirus engines. This malicious code, with filename DHL_Etiqueta.exe, acts as a downloader asking a server the URLs it must use to download the other malicious files. It always uses in the requests the User-Agent Opera\9.64. These are the requests and responses in this case:

Both of the downloaded files, morph.exe and esmilk.exe, are banking trojans. The former is a sample of Feodo, with a low detection rate (7/41), which downloads the configuration file from a server after sending to it a POST request:

The latter is a ZeuS with a medium detection rate (20/43). It connects with the domain to download the configuration file and to send data to the C&C panel:

Like it's said in ThreatExpert the malware received by mail may spread itself by sending emails to some pseudo-aleatory addresses with different senders and bodies.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.