UPS Invoice Notification spam campagin (Nov. 23, 2011)


With the coming of holiday season, SonicWALL UTM Research team observed the surge in the online threats. Reports of email spam campaign containing malware attachment pretending to be coming from United Parcel Service (UPS) continue to flood email inboxes.

Computer users are advised to take precaution in opening unsolicited emails especially from unknown sender. UPS also hosted this presentation to raise awareness about UPS related scams.

The behavior of this malware is further discussed below:

Subject: United Parcel Service – Invoice is available [random numbers]

Attachment: UPS-Billing-Invoice-Notification-[random numbers].zip

Message Body:

    UPS Billing Center

    This is an automatically generated email. Please do not reply to this email address.

    Dear UPS Customer,

    A new invoice is now available in the UPS Billing Centre.
    Please refer to attached file for more details

    Please visit the UPS Billing Centre to view and pay your invoice.

    Coming Soon!
    Effective January 2012, the UPS Billing Centre can be accessed using your My UPS ID.
    Current UPS Billing Centre users will be prompted to convert to a My UPS ID. Learn more

    Discover more about UPS:
    Explore UPS Freight Services
    Learn About UPS Companies
    Sign Up For Additional Email From UPS
    Read Compass Online

    (c) 2011 United Parcel Service of America, Inc., the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
    For more information on UPS’s privacy practices, refer to the UPS Privacy Policy.
    Please do not reply directly to this e-mail. UPS will not receive any reply message.
    For questions or comments, visit Contact UPS.

    This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
    Privacy Policy
    Contact UPS

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

Files Created:

  • Application DataSomonekpos.exe – copy of original malware – blocked as GAV:Kryptik.VUY
  • Application DataAfisaawqide.myx – data file
  • Application DataAfisaawqide.dat – data file

Harvests email addresses:

  • Microsoft Address Book
  • Internet Browser Cookies

Checks for installed client FTP:

  • FlashFXP
  • GhislerTotal Commander
  • ipswitchws_ftp
  • FarPluginsftphosts
  • Far2Pluginsftphosts
  • martin prikrylwinscp 2sessions
  • ftpwarecoreftpsites
  • smartftpclient 2.0settingsgeneralfavorites

Network Activity:

    DNS Request: nos{removed}

    Post Request: http://nos{removed}

Virtual Machine Detection:

    Key: HKLMSystemCurrentControlSetServicesDiskEnum
    Value: 0

    • IDEDiskVMware_Virtual_IDE_Hard_Drive

VNC Server Detection:

    Tries to connect to VNC server and waits for the following response:

  • RFB 003.003

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV:Kryptik.VUY (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.