Video Screencast Help
Security Response

Bredolab Delivers More Parcels and Cash

Created: 15 Sep 2009 21:02:39 GMT • Updated: 23 Jan 2014 18:32:42 GMT
Hon Lau's picture
0 2 Votes
Login to vote

Yes folks, the Bredolab crew is at it once again. Today we saw a moderate wave of spam email, numbering a few thousand per hour. Not to be drawn to the depth of exploiting the death of Patrick Swayze to deliver their malware, the Bredolab gang is still adapting old reliable—spam email messages with promises of undelivered parcels and cash for collection. Depending on whether the delivery is for cash or for a parcel you will get a slightly different message, although the attachment names are much the same as one another, following a distinct pattern.

For parcel deliveries you might see something like the following example:
 

Subject:
= ?koi8-r?B?REhMIERlbGl2ZXJ5IHByb2JsZW0guT[UP TO 6 RANDOM CHARACTERS]?=
 
Body:
Dear customer!
 
Unfortunately we were not able to deliver the postal package sent on the 24th of June in time
because the recipients address is inexact.
Please print out the invoice copy attached and collect the package at our department.
 
DHL Express Services.
---------------------------------
Hello!
 
We failed to deliver your postal package which was sent on the 21st of July in time
because the recipients address is wrong.
Please print out the invoice copy attached and collect the package at our department.
 
DHL Express Services.
---------------------------------
Hello!
 
We were not able to deliver your postal package you have sent on the 7th of July in time
because the recipients address is erroneous.
Please print out the invoice copy attached and collect the package at our office.
 
DHL Global Forwarding Services.
 
 
If the delivery is related to cash, the spam emails may look like the following:
 
Subject: Western Union transfer is available for withdrawl.
Body:
 
Dear customer.
 
The amount of money transfer: [RANDOM AMOUNT] USD.
Money is available to withdrawl.
 
You may find the Money Transfer Control Number and receiver's details in document attached to this email.
 
Western Union.
Financial Services.
 
 ---------------------------------
Dear customer.
 
The amount of money transfer: [RANDOM AMOUNT] USD.
Money is available to withdrawl.
 
You may find the MTCN number and receiver's details in document attached to this email.
 
Western Union.
Finance Department.

 
 
Attachments:

The attachments have file names that follow a particular pattern of:  FILE_X[4 HEX DIGITS].zip. (For example: FILE_X5644.zip, FILE_X9f84.zip, FILE_X5644.zip, or FILE_Xf8a9.zip). The .zip file contains an executable file with the same name, but with an .exe extension. 
 
If you are (un)lucky enough to be offered a free parcel or cash in this manner, you’d be well advised to steer clear. You’ll also be glad to know Symantec is happy to step in and intercept these bogus deliveries on your behalf and deal with them in the appropriate manner—by intercepting and removing them. In case you want to know, all of the malware samples seen so far in this campaign are already detected by our antivirus products as Packed.Generic.243.