2014-09-24 - ZEUS INFECTION FROM EMAIL ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-09-24-Zeus-email-tracking.csv.zip
• 2014-09-24-Zeus-malware-run-in-a-VM.pcap.zip
• 2014-09-24-Zeus-malware-and-artifacts.zip

 

NOTES:

• This is similar to a wave of malspam documented earlier this month on 2014-09-02 ( link ).
• Attachments during that previous wave of malspam used the ARJ archive format, but today's malspam is using RAR.
• Subject line examples for this wave of malspam:

Subject: Automatic reminder: 557678737295229

Subject: Bill reminder: 575685787859829

Subject: Bills Reminder: 176194412546464

Subject: Due Date E-Mail Reminder: 456153111097427

Subject: Late payment: 211893769213047

Subject: Overdue Payment: 884272725375713

Subject: Past Due Reminder Letter: 378439720374130

Subject: Payment Due Reminder: 352247661287730

Subject: Payment Past-Due Reminder: 175128041511705

Subject: Payment reminder: 866609381489450

Subject: Reminder Letter: 165261855377927

Subject: Reminder of overdue invoice: 887912180481421

Subject: Reminder: 697652518565703

 

 

EXAMPLES OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT EXAMPLE 1:

Subject: Automatic reminder: 557678737295229
Date: Wed, 24 Sep 2014 13:08:51 UTC
From: Delinda Mcspirit <statement@webbroker[.]co[.]uk>
To:

Greetings,

This is Delinda from DSB Offshore Ltd. After a review of our records, we have found your account is past due.
Account ID: 1DYBWL5. This notice is a reminder your payment is due.

Best regards,
Delinda Mcspirit
DSB Offshore Ltd
statement@webbroker[.]co[.]uk
+07710212241

---
This email is free from viruses and malware because avast! Antivirus protection is active.
hxxp://www.avast[.]com

Attachment:  application_557678737295229_1DYBWL5.rar (31.5 KB)

 

MESSAGE TEXT EXAMPLE 2:

Subject: Late payment: 211893769213047
Date: Wed, 24 Sep 2014 12:59:07 UTC
From: Geraldo Cabreja <statement@coldencommoncc[.]co[.]uk>
To:

Good afternoon,

This is Geraldo from Linde Material Handling UK Ltd. After a review of our records, we have found your account is past due.
Account ID: 4OP34S9. This notice is a reminder your payment is due.

Best regards,
Geraldo Cabreja
Linde Material Handling UK Ltd
statement@coldencommoncc[.]co[.]uk
+07564-305-986

---
This email is free from viruses and malware because avast! Antivirus protection is active.
hxxp://www.avast[.]com

---
Questa e-mail è priva di virus e malware perché è attiva la protezione avast! Antivirus.
hxxp://www.avast[.]com

Attachment:  contention_211893769213047_4OP34S9.rar (30.8 KB)

 

MESSAGE TEXT EXAMPLE 3:

Subject: Overdue Payment: 884272725375713
Date: Wed, 24 Sep 2014 12:22:09 UTC
From: Malcolm Speller <proposition@gogreen-drivingschool[.]co[.]uk>
To:

Good morning,

This is Malcolm from Chris Lewis Fire and Security. After a review of our records, we have found your account is past due.
Account ID: 0PUB5L0. This notice is a reminder your payment is due.

Kind regards,
Malcolm Speller
Chris Lewis Fire and Security
proposition@gogreen-drivingschool[.]co[.]uk
+07952 493 393

---
This email is free from viruses and malware because avast! Antivirus protection is active.
hxxp://www.avast[.]com

Attachment:  approval_884272725375713_0PUB5L0.rar (32.6 KB)

 

 

PRELIMINARY MALWARE ANALYSIS

EXAMPLE 1:

Attachment name:  application_557678737295229_1DYBWL5.rar   -   32,249 bytes   -   MD5 hash:  cff41c39bd07f35dc5b8e1339a33a241
VirusTotal link:  https://www.virustotal.com/en/file/1944df443059cb41ad391e824a301a304564b5d88f84d77a41413efbb0fac82f/analysis/

Extracted file:  application_557678737295229_1DYBWL5.exe   -   49,152 bytes   -   MD5 hash:  c6bc0a46745e3d1138f443e4d4defde1
VirusTotal link:  https://www.virustotal.com/en/file/977249710ee8926c9982b61593662a2de93234047929dc5f036cb5885dfd9dd5/analysis/

 

EXAMPLE 2:

Attachment name:  contention_211893769213047_4OP34S9.rar   -   31,545 bytes   -   MD5 hash:  9db8be19abfc6d237482e6a71693cb99
VirusTotal link:  https://www.virustotal.com/en/file/4fce6c450f4c0d172c3f451d190b2e049a35d35f078d036be3ab0566d45c7f2c/analysis/

Extracted file:  contention_211893769213047_4OP34S9.exe   -   47,616 bytes   -   MD5 hash:  8fab91e1dcceb22d38410ff542fee3d2
VirusTotal link:  https://www.virustotal.com/en/file/16d63d550001880457e83ae33a099f6ff7b05fa96881acb67551f4fc155f90fe/analysis/

 

EXAMPLE 3:

Attachment name:  approval_884272725375713_0PUB5L0.rar   -   33,369 bytes   -   MD5 hash:  ed5a66265d70f164fbca5fb3407ba2ef
VirusTotal link:  https://www.virustotal.com/en/file/82d04142941078b12ef7a8ee77c104df5685b7313611f2bd1a834f0dba48a290/analysis/

Extracted file:  approval_884272725375713_0PUB5L0.exe   -   50,176 bytes   -   MD5 hash:  c607c906d09bbc25f9ff3536093178d2
VirusTotal link:  https://www.virustotal.com/en/file/7594891e4aae292dde81d5d86a72b4a0b80a122000029a2242ae95b52f2147d9/analysis/

 

DROPPED MALWARE FROM ONE OF THE SAMPLES:

File name:  suhoi.exe
File size:  330,240 bytes
MD5 hash:  0a8d1182de7e4bbdc6c292ba85b542c7
Detection ratio:  2 / 55
First submission:  2014-09-24 15:30:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b925b06d9c3ce3051d2de2662a0310d7e9ef141c139823557dd4751e0c964d8e/analysis/

 

INFECTION TRAFFIC

Executing contention_211893769213047_4OP34S9.exe in a VM:

• 14:33:13 UTC - 213.186.33[.]19:443 - HTTPS traffic to ax-m[.]fr
• 14:33:20 UTC - 213.186.33[.]17:443 - HTTPS traffic to congresfnosad2013-aixlesbains[.]fr
• 14:33:56 UTC - 192.42.116[.]41:80 - 144aa2l1biwegx1fc8g89xdjgsy[.]com - POST /updatec
• Followed by DGA-style DNS queries such as:

1f64m4116fs0eg1ps967s1dud879[.]net

5obqrf6sylfe1c7kstn15gdqfz[.]biz

3fvp6419l2d8bpjn4av1i7jjuf[.]org

ymvs1nzn8na10e1t391h9s0tc[.]com

19zn3vz1lwl1v83oxgouv2tsdo[.]net

62ps7sddgt7o12fxu9jq59sb2[.]org

5lev346zazr16ytm821ykkedr[.]net

and so on...

 

ALERTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-24 14:26:13 UTC - 191.232.80[.]55:80 - ET TROJAN Possible Zeus GameOver? Connectivity Check 2 (sid:2019155)
• 2014-09-24 14:33:14 UTC - 213.186.33[.]19:443 - ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans) (sid:2018364)
• 2014-09-24 14:33:21 UTC - 213.186.33[.]17:443 - ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans) (sid:2018364)
• 2014-09-24 14:33:49 UTC - [internal host]:53 - ET TROJAN Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014 (sid:2018666)
• 2014-09-24 14:33:56 UTC - 192.42.116[.]41:80 - ETPRO TROJAN Zeus variant C2 (sid:2808643)
• 2014-09-24 14:33:56 UTC - 192.42.116[.]41:80 - ET TROJAN Known Sinkhole Response Header (sid:2016803)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-09-24 14:33:56 UTC 192.42.116[.]41:80 - [1:30320:1] BLACKLIST Connection to malware sinkhole

 

SCREENSHOTS

RTF document presented by the malware on the infected VM:

 

Artifacts found in the infected VM user's AppData\Local\Temp directory:

 

The malware's connectivity check from the infected VM:

 

Malware callback traffic hitting a sinkhole:

 

DGA-style DNS queries generated by the infected VM:

 

Click here to return to the main page.