DHL spam campaign leads to MokesLoader Trojan Downloader

January 6, 2012

SonicWALL UTM Research team observed a increase in spam campaigns employing DHL package delivery schemes. The emails pretending to be from DHL informs the user of a package being sent to their address and that the relevant tracking number is in the attachment. The zipped attachment in the email is a newer variant of the MokesLoader Trojan downloader.

Email subjects used in this spam campaign include:

  • DHL Delivery refuse
  • DHL Error package delivery
  • DHL shipment status No***
  • Error in the delivery address
  • Error in the delivery address No*******
  • Error package delivery
  • Get your parcel No***
  • Shipment Status No***
  • Track your parcel No******
  • Track your shipment No****

The body of the email is as shown below:

 ---------------------------------------------------------------------  Dear customer.     Your package has been sent to your address.    Please find a post label attached which contains a track number of    your package.     Thank you for your attention.    DHL Global Services.  ---------------------------------------------------------------------	 

The following file with a misleading icon is present in the zip attachment:


It performs the following activities when executed:

  • It creates the following files:
    • %appdata%csrss.exe (Copy of itself) [Detected as GAV: "MokesLoader.MS (Trojan)]
    • %appdata%MicrosoftProtectqbfbv.xx
    • %appdata%MicrosoftProtectrpphtrt.nv
  • It reports new infection to a remote server using a uniquely generated login id:
    • GET /aaa/index.php?cmd=getload&login={removed}&sel=sp3ya&ver=5.1&bits=0&file=1&run=ok
  • It creates the following registry entries to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun Clients "%appdata%csrss.exe"
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun mcoyr "rundll32 %appdata%MICROS~1Protectrpphtrt.nv, itgn"
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun imfblgk "rundll32 %appdata%MICROS~1Protectqbfbv.xx, namn"
  • It creates a TCP backdoor on the infected machine
  • It reports backdoor port to remote server:
    • GET /aaa/index.php?cmd=getsocks&login={removed}&port=2592 HTTP/1.1
  • The following commands were used to communicate with remote server
    • getgrab
    • getproxy
    • getload
    • getsocks
  • It receives instructions from remote server and downloads additional malware.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: MokesLoader.MS (Trojan)
  • GAV: MokesLoader.MK (Trojan)
  • GAV: MokesLoader.LS (Trojan)
  • GAV: MokesLoader.LH (Trojan)
  • GAV: Dofoil.L#email (Trojan)