Trojan Express Delivery

In the past couple of days, Symantec has observed a spike of email attacks that are designed to distribute malicious threats. All of the observed samples are spoofed to appear as if they are legitimate delivery warnings or notifications from UPS or Post Express. The message text asks recipients to open the zipped executable file for further details or actions necessary to take delivery of the item.

Below are the sample headers observed in this spam attack:

From: "United Parcel Service" <info***[email protected]>
From: "UPS� Customer Services"<***>
From: "United Parcel Service" <***>
From: "Neil Molina" United Parcel Service  <[Details Removed]@ [Details Removed]>
From: "Kimberley Miner" United Parcel Service  <[Details Removed]@ [Details Removed]>

Subject: United Parcel Service notification 40983
Subject: Delivery Status
Subject: UPS: Your Package
Subject: United Parcel Service notification
Subject: United Postal Service Tracking Nr.

From: "Post Express Support" <postmail-int[Details Removed]@[Details Removed]>
From: "Post Express Information" <postmail-usa. [Details Removed]@[Details Removed]>
From: "Post Express Report" <postmail-usa. [Details Removed]@ [Details Removed]>
From: "Post Express Office" <postmail-usa. [Details Removed]@[Details Removed]>
From: "Post Express Information" <postmail-usa. [Details Removed]@[Details Removed]>

Subject: Post Express Office. Package is available for pickup. NR03909
Subject: Post Express Office. Delivery refuse. NR4245855
Subject: Post Express Office. Track your parcel. NR06678
Subject: Post Express Office. Error in the delivery address. NR4061172
Subject: Post Express Office. Get the parcel NR31215

Once the recipient downloads the compressed file, the following threats are installed:

UPS tracking number.exe was detected as Trojan.FakeAV.
UPS notify.exe was detected as Backdoor.Cycbot.
Post_Express_Label.exe was detected as Trojan.Sasfis.

A couple of spam samples are shown below:


Symantec analyzed the attacks further and found that the increase in malicious activity, sent from diverse geographical locations, indicates that spammers are working to rebuild their botnets after the Rustock takedown.

Symantec recommends that users adhere to the basic practice of not opening or downloading any suspicious attachments from emails such as those described above. Also, install all security patches and keep antivirus definitions up to date to prevent the compromise of personal machines or networks.

12 Million Exploit Attacks Originating from the CO.CC Domain

Symantec’s telemetry has shown over 12 million Intrusion Prevention Signature (IPS) hits on sub domains of the ‘CO.CC’ domain in the last six months. Anyone somewhat familiar with the top-level domain-naming hierarchy might be lead to believe that CO.CC is actually an official second-level domain similar to CO.UK; this, however, is not the case. .CC is the Internet country code top-level domain (ccTLD) for Cocos (Keeling) Islands, an Australian territory. "CO.CC" is not an official hierarchy; it is a domain owned by a company that offers free sub domains and other services such as URL forwarding. The terms and conditions for use of the ‘CO.CC’ Web site can be found here.

The CO.CC domain itself is legitimate and has registered over eight million legitimate website URLs on its sub domains. However, wherever a free service exists, it is susceptible to being abused by malware distributors.  A malware distributor can register several free sub domains and use the URL forwarding service to point them all to one domain hosting a crimeware exploit pack. This way an attacker can stage their attack through redirection and try to mask the final URL destination hosting the exploit pack. This in turn makes it more difficult for the black listing of malicious URLs. In our analysis, we have seen numerous exploit packs such as Black hole, Fragus, Phoenix, Crimepack, K0de, and Eleonore being associated to CO.CC sub domains.  


This may not sound very innovative to some readers, as in the past we have seen other free services, such as free dynamic DNS sites, being abused by malware distributors. Attacks such as Hydraq (Aurora) highlighted the use of dynamic DNS by attackers and has lead to numerous companies blocking the use of dynamic DNS sites on their network. The use of free services on sites, such as the one highlighted in this blog, has given attackers another avenue for performing their attacks.

In our research, we have also identified variants of the following threats to be communicating with CO.CC sub domains.

Threats seen using CO.CC sub domains

As always, Symantec recommends that you keep your definitions up to date to ensure protection against threats mentioned in this blog.