2014-09-18 - UPATRE INFECTION FROM EMAIL LINK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-09-18-traffic-for-document_09182014.zip.pcap.zip
• 2014-09-18-traffic-for-Document81264_pdf.zip.pcap.zip

• 2014-09-18-malware-document_09182014.zip
• 2014-09-18-malware-Document81264_pdf.zip

• 2014-09-18-Upatre-email-tracking.csv.zip

 

NOTES:

• Today, I noticed the same URL used in two differently-themed phishing emails, indicating these are from the same overall campaign.
• One was a fake NatWest email, and the other was a fake fax message.  The phishing emails all had senders starting with:  secure@

• Senders for these emails noted so far:

Fake fax email - Sending IP: 5.196.98[.]76 (Fance, OVH) - Sending email address: secure@docs-thl[.]com - Subject: Fax

Fake fax email - Sending IP: 46.105.103p.[138 (ns317804.ip-46-105-103[.]eu) - Sending email address: secure@doc-us[.]com - Subject: (empty subject)

Fake NatWest email - Sending IP: 188.165.192[.]169 (ns322840.ip-188-165-192[.]eu) - Sending email address: secure@docs-mvm[.]com - Subject: (empty subject)

• Some of the links to malware from these emails:

document_09182014.zip - 89.40.36[.]20 - ascevo[.]com - GET /tefacxvuxe/ulkovadgta.html

document_09182014.zip - 23.252.123[.]242 - pintoreservicios[.]com - GET /iudtyvveno/awgvlopvkk.html

Document81264_pdf.zip - 193.37.145[.]27 - al-katech[.]com - GET /acztobqupi/cfhjhbmbzy.html

Document81264_pdf.zip - 212.129.5[.]110 - photolife[.]ir - GET /nnmzfwtqiv/zlzepufrut.html

Not working - 108.163.173[.]26 - portmagdalena[.]com - GET /ksjxyphfnw/fxdfdibdqo.html

• The same link is used in a fake NatWest email that's also in a fake fax email.
• On his Dynamoo Blog, Conrad Longmore has an examle of a Lloyds Bank phishing email using the same URL patterns ( link ), and his malware sample acted similar to mine.

• I didn't notice any significant VRT or Emerging Threats signatures trigger on the infection traffic when I executed the malware on a VM.

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT - FAKE NATWEST EMAIL:

From: "secure@doc-us[.]com" <secure@doc-us[.]com>
Date: Thursday, September 18, 2014 at 10:37 UTC
To:

You have a new private message from NatWest

To view/read this your secure message please click here

Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.

To unsubscribe please clickhere
National Westminster Bank Plc. All rights, save as expressly granted, are reserved. Reproduction in any form of any part of the contents of this website without our prior written consent is prohibited unless for personal use only.

To view/read this your secure message please click here

 

MESSAGE TEXT - FAKE FAX EMAIL:

From: "secure@docs-thl[.]com" <secure@docs-thl[.]com>
Date: Thursday, September 18, 2014 at 10:36 UTC
To:
Subject: Fax

You have received a new fax. This fax was received by Fax Server.
The fax has been downloaded to dropbox service (Google Inc).

To view your fax message, please download from the link below. It's operat ed by Dropbox and safety.

hxxp://pintoreservicios[.]com/iudtyvveno/awgvlopvkk.html

Received Fax Det ails
---------------------------------------------------------------- ----------------------
Received on: 16/09/2014 08:14 AM
Number of Pages: 1
From (ID): 503-879-20098
Duration of Fax: 0:00:29
Transfer Speed: 4400

Received Status: Success
Num ber of Errors: 0
Port Received: NP_104
------------------------ ------------------------------------------------------------

T his e-mail has been sent from an automated system.
PLEASE DO NOT REP LY.

The information contained in this message may be privilege d, confidential and protected from disclosure. If the reader of this messag e is not the intended recipient, or an employee or agent responsible for de livering this message to the intended recipient, you are hereby notified th at any dissemination, distribution or copying of this communication is stri ctly prohibited. If you have received this communication in error, please n otify your representative immediately and delete this message from your com puter. Thank you.

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE - FIRST EXAMPLE:

File name:  document_09182014.zip
File size:  7,447 bytes
MD5 hash:  35d584d43036ace4ab5e9b5c1754baa7
Detection ratio:  18 / 54
First submission:  2014-09-18 09:53:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6e7633fd8a2a0518b89ed17e435d426c4ccb5ab8f9b3d55d5a4ccc5f7c2c5719/analysis/

 

EXTRACTED MALWARE - FIRST EXAMPLE:

File name:  document_09182014.scr
File size:  19,968 bytes
MD5 hash:  2580ddd3beb3924654a9f9aec9e195a0
Detection ratio:  16 / 55
First submission:  2014-09-18 09:38:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/72f0fa8c053fab90a43ed18ff5bb962de6d31f13b7dc7fb078afb0ba1ded4722/analysis/

 

DROPPED MALWARE - FIRST EXAMPLE:

File name:  avsem.exe
File size:  454,656 bytes
MD5 hash:  890defc75b7a896a7a84cbb5a7538f37
Detection ratio:  22 / 54
First submission:  2014-09-18 13:03:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6102d59bbe05aff4ba699823f177e020436aa76c756c4fc26e6dd54581894c28/analysis/

 

ZIP FILE - SECOND EXAMPLE:

File name:  Document81264_pdf.zip
File size:  7,892 bytes
MD5 hash:  c21fec7842565899c7dee6b416cd1204
Detection ratio:  10 / 55
First submission:  2014-09-18 17:34:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fe0a774b669ed7d75b2d37ebb8da9d79ad386bb0f4dca9e6cbbcd6aed7a430ae/analysis/

 

EXTRACTED MALWARE - SECOND EXAMPLE:

File name:  Document81264_pdf.scr
File size:  20,480 bytes
MD5 hash:  8f602ab1e9288adbb80a93e50bdbe144
Detection ratio:  7 / 53
First submission:  2014-09-18 17:35:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7259b1adda698861a8251685887953d892dff2eb5b141d9051db03cbfcc2c76a/analysis/

 

DROPPED MALWARE - SECOND EXAMPLE (1 OF 2):

File name:  kjyzp.exe
File size:  387,072 bytes
MD5 hash:  301df83591485e0b4604dc1cee954e6c
Detection ratio:  5 / 53
First submission:  2014-09-18 20:08:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e23f5c74de75bd846a1e4d2f58be71fecb1548e9b51c2b4ad2c6caff3cb50437/analysis/

 

DROPPED MALWARE - SECOND EXAMPLE (2 OF 2):

File name:  vcllf.exe
File size:  399,360 bytes
MD5 hash:  80ad0c1aadb6520ca0c999ebebf264e1
Detection ratio:  3 / 55
First submission:  2014-09-18 19:26:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f686300b3d2e356ce64ffa7e8b2998baa29f889101e7bec73f85e2c020e0aa8a/analysis/

 

VM INFECTION TRAFFIC - EXAMPLE 1

Downloading document_09182014.zip and executing the malware in a VM:

• 17:46:14 UTC - 23.252.123[.]242:80 - pintoreservicios[.]com - GET /iudtyvveno/awgvlopvkk.html
• 17:46:14 UTC - 23.252.123[.]242:80 - pintoreservicios[.]com - GET /iudtyvveno/document_09182014.zip
• 17:52:12 UTC - 188.165.204[.]210:21603 - 188.165.204[.]210:21603 - GET /1809uk2/WIN-BDE26NS3NG1/0/61-SP1/0/
• 17:52:12 UTC - 188.165.204[.]210:21603 - 188.165.204[.]210:21603 - GET /1809uk2/WIN-BDE26NS3NG1/1/0/0/
• 17:52:13 UTC - 86.106.30[.]115:80 - funworld[.]ro - GET /scripts/1809uk2.shh
• 17:52:14 UTC - 188.165.204[.]210:21603 - 188.165.204[.]210:21603 - GET /1809uk2/WIN-BDE26NS3NG1/41/5/4/
• 17:52:19 UTC - 208.64.8[.]6:3478 - UDP traffic to stun.phonepower[.]com
• 17:52:36 UTC - 212.79.111[.]155:3478 - UDP traffic to stun.iptel[.]org
• 17:53:11 UTC - 64.24.35[.]201:3478 - UDP traffic to stun1.voiceeclipse[.]net
• 17:53:45 UTC - 173.194.71[.]127:19302 - UDP traffic to stun4.l.google[.]com
• 17:53:45 UTC - 94.23.250[.]88:443 - encrypted traffic (IP registered to OVH)
• 17:54:31 UTC - 94.23.250[.]88:443 - encrypted traffic (IP registered to OVH)

 

VM INFECTION TRAFFIC - EXAMPLE 2

Downloading Document81264_pdf.zip and executing the malware in a VM:

• 22:30:49 UTC - 193.37.145[.]27:80 - al-katech[.]com - GET /acztobqupi/cfhjhbmbzy.html
• 22:30:50 UTC - 193.37.145[.]27:80 - al-katech[.]com - GET /acztobqupi/Document81264_pdf.zip
• 22:31:35 UTC - 188.165.204[.]210:17909 - 188.165.204[.]210:17909 - GET /1809inst/WIN-FQ12E6SS3GJ/0/61-SP1/0/
• 22:31:35 UTC - 188.165.204[.]210:17909 - 188.165.204[.]210:17909 - GET /1809inst/WIN-FQ12E6SS3GJ/1/0/0/
• 22:31:35 UTC - 188.165.204[.]210:17909 - 188.165.204[.]210:17909 - GET /1809us/WIN-FQ12E6SS3GJ/1/0/0/
• 22:31:36 UTC - 119.59.120[.]23:80 - smart-trainingcenter[.]com - GET /css/install6.tar
• 22:31:40 UTC - 188.165.204[.]210:17909 - 188.165.204[.]210:17909 - GET /1809inst/WIN-FQ12E6SS3GJ/41/5/4/
• 22:31:41 UTC - 5.9.28[.]140:80 - ds.iranlicence[.]com - GET /Baner/1809us.tar
• 22:31:44 UTC - 188.165.204[.]210:17909 - 188.165.204[.]210:17909 - GET /1809us/WIN-FQ12E6SS3GJ/41/5/4/
• 22:31:49 UTC - 173.194.71[.]127:19302 - UDP traffic to stun4.l.google[.]com
• 22:31:49 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:52 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:55 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:55 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:55 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:55 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:58 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:31:58 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)
• 22:32:03 UTC - 188.165.237[.]145:443 - encrypted traffic (IP registered to OVH)

 

Click here to return to the main page.