Munchy Malware Distributed via DHL Phishing Campaign

A new trojan named Muncy, a phishing campaign from DHL and entitled “DHL Shipment Notification” has been found targeting users worldwide. This malware is distributed via a phishing campaign that impersonates the logistics giant DHL, a popular shipment distribution firm, to lure users.

The first wave observed was on February 12th, 2019 by Segurança Informática (SI) Lab and the further analysis revealed that SMTP servers with bad configurations are a majestic vector to spread malicious campaigns.

Threat actors are leveraging the poorly configured SMTP servers and Email spoofing techniques to distributing the DHL phishing campaign that looks like a legitimate one.

The email used to carry out this campaign is: <support@dhl[.]com>.

Distributed malspam Email contained a malicious attachment that posed as PDF and the extracted files format is .exe. When the users who access this email extract the malicious attachment it scans users’ computers and collects information, including FTP data. After the malware is unpacked and the initial execution, a new process is created and executed. That process executes a mass scan in user’s C:\ drive obtaining sensitive information that is sent to a domain managed by crooks and available at sameerd[.]net.

“The malware is packed, and during the malware analysis, we cannot unpack it. After the first execution, it is unpacked to the PE File .data section that was empty at start. The threat executes a scan to all C:\ drive trying to find sensitive data and files (mainly FTP files) and that will be send to a final endpoint managed by crooks (sameerd.net).” explained the SI Lab researchers.

They also observed that no persistence was identified in the user’s devices during malware infection life-cycle. Researchers noted that the discovery of the new Muncy malware highlights how bad actors are quickly adapting attack techniques and artifact characteristics to launch their attack campaigns successfully, without even being detected.