Earlier this month, cybercriminals attempted to infect spam recipients with the Mole ransomware, using emails that appeared to be from the U.S. Postal service.
Earlier this month, cybercriminals attempted to infect spam recipients with the Mole ransomware, using emails that appeared to be from the U.S. Postal service.

A malicious spam campaign found impersonating the U.S. Postal Service and delivering an apparent Cryptomix ransomware variant called Mole has already changed its tactics multiple times since its discovery earlier this month

A blog post Tuesday from Palo Alto Networks covers the metamorphosis of this malicious activity, which may be part of a spam scheme that was previously reported on by Malwarebytes.

Blog post author Brad Duncan, a threat intel analyst with Palo Alto's Unit 42 division, first detected the campaign on April 11. At the time, the spam emails included Google Docs links that redirected to fake Microsoft Word online sites, which asked victims to download and install a supposed Microsoft Office plug-in. In reality, this plug-in was a Windows-based ransomware known as Mole.

Two days later, on April 13, the cybercriminals began including additional malware in the campaign -- namely Kovter and Miuref (aka Boaxxe). Also, the compromised Microsoft Word pages were now distributing the malware in the form of a zip archive that contained the JavaScript-based Nemucod downloader. Nemucod, in turn, would then produce the Mole ransomware. The following day, attackers stopped using a redirect link in the malicious spam and instead linked directly to the fake Word online site.

The USPS spam emails would attempt to convey a sense of urgency to the recipient, using subject lines such as "IMPORTANT USPS REFUND INFO," "Major problems reported to the USPS support team," and "PROMPT ACTION NEEDED: your order's been delayed." In a separate write-up on the SANS Institute's Internet Storm Center InfoSec Forums, Duncan noted that the Mole ransomware samples that he studied would not run on a virtualized or sandbox environment.

On April 10, Malwarebytes had reported on a spam campaign that also impersonated the USPS and also used Nemocod to disseminate malware -- in this case, Nymaim, Kovter and Miuref. (It did not, however, spoof Microsoft Word Online sites or deliver Mole.)

The spam sample that Malwarebytes published was dated April 5. "My guess is [that] it's likely the same actor, before the campaign evolved to the fake Word Online sites, and before it started sending Mole ransomware a few days later," said Duncan, in an interview with SC Media. "Email addresses, subject lines, [the] message text from the [April 5] message are similar to what we're seeing now. Malware associated with that particular email... matches the same patterns we're currently seeing."

On April 18, the campaign shifted dramatically, Palo Alto Networks further reported, as the culprits dropped the Mole ransomware in favor of the KINS banking trojan, alongside Kovter and Miuref. Then on April 21, the campaign stopped impersonating the USPS and instead delivered messages pertaining to speeding tickets, utilizing a fake parking services website.