An evolving malspam campaign changed its tactics and increased its complexity on three separate occasions over the span of four days.Researchers first spotted the malicious spam campaign on 11 April. At that time, its attack emails each had a different sender, subject line, message, and link. But all of them used the United States Postal Service (USPS) as a theme and claimed there was a problem delivering a package to the recipient.
An example of the malspam. (Source: SANS ISC)The email links, which were all subdomains of ideliverys[dot]com, each led to a 404.html page that redirected to fake portal pages for Microsoft Office. These sites contained Google Doc URLs masquerading as Office plugins. But instead of loading up a plugin, the links downloaded Mole, a ransomware family which uses AES-256 to encrypt a victim’s files.
The evolution of the malspam campaign. (Source: Palo Alto Networks)It’s unusual to see a campaign make so many changes over a short period of time. No doubt these modifications help it to evade detection. That explains why attackers are still altering their operation as of this writing.As security researcher Brad Duncan explains in a blog post for Palo Alto Networks:“… [T]his campaign continues to evolve. By Tuesday April 18, 2017, it stopped distributing Mole ransomware, and it began pushing the KINS banking Trojan with Kovter and Miuref. By Friday April 21, 2017, this campaign moved from USPS-themed emails to messages about speeding tickets, and it began utilizing a fake parking services website.”To protect themselves against this dynamic campaign, users should exercise caution around suspicious links and email attachments. They should also download an anti-virus solution onto their computers and follow these tips to help prevent a ransomware infection.