2014-10-04 - RIG EK AND UPATRE FROM PHISHING EMAILS

ASSOCIATED FILES:

• ZIP of the pcap:  2014-10-04-Rig-EK-and-Upatre-traffic.pcap.zip
• ZIP of the malware:  2014-10-04-Rig-EK-and-Upatre-malware.zip

 

NOTES:

• On Thursday, 2014-10-02, I saw a few emails with secure@docs-gg.com listed as a sender that went to UK email addresses.

• These emails contain links to a zip file; however, these URLs also generate Rig EK traffic that will infect a vulnerable host with the same malware.

Shown above:  The zip file offered as a download, while Rig EK happens in the background.

• Today's Upatre and follow-up malware are the same type I documented yesterday on 2014-10-03 (see the link below).

 

WAVES OF PHISHING EMAILS I'VE DOCUMENTED BY (WHAT I THINK IS) THE SAME ACTOR:

• 2014-09-18 - Phishing campaign - NatWest and fake fax messages
• 2014-09-22 - Phishing email - Subject: NatWest Statement
• 2014-10-03 - Phishing campaign - Incoming fax reports - fake HMRC tax notices
• 2014-10-04 - Rig EK and Upatre from phishing emails   [emails dated 2014-10-02]

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 177.55.108.130 - camaraguape.mg.gov.br - Site with page for the malware download
• 37.200.69.87 - story.christophertawes.com - Rig EK
• various IP addresses - various domains - Post-infection traffic (see below)

 

PHISHING LINK FROM THE EMAIL (PROVIDES A ZIP FILE OF THE MALWARE):

• 2014-10-04 00:29:25 UTC - 172.16.165.133:49164 - 177.55.108.130:80 - camaraguape.mg.gov.br - GET /go2/document.php
• 2014-10-04 00:29:27 UTC - 172.16.165.133:49165 - 177.55.108.130:80 - camaraguape.mg.gov.br - POST /go2/document.php
• 2014-10-04 00:29:33 UTC - 172.16.165.133:49167 - 91.121.220.193:80 - counter6.statcounterfree.com - GET /private/counter.js?c=
  a9f26a8b178b1b373c1d6618b0a2ea72
• 2014-10-04 00:29:40 UTC - 172.16.165.133:49168 - 177.55.108.130:80 - camaraguape.mg.gov.br - GET /go2/document.php?h=900&w=1440&ua=
  Mozilla%2F4.0%20(compatible%3B%20MSIE%208.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F4.0%3B%20SLCC2
  %3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0)&e=1

 

RIG EK (INFECTS A VULNERABLE HOST WITH THE SAME MALWARE):

• 2014-10-04 00:29:33 UTC - 172.16.165.133:49166 - 37.200.69.87:80 - story.christophertawes.com - GET /?PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:37 UTC - 172.16.165.133:49166 - 37.200.69.87:80 - story.christophertawes.com - GET /index.php?req=mp3&num=95&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:39 UTC - 172.16.165.133:49166 - 37.200.69.87:80 - story.christophertawes.com - GET /index.php?req=swf&num=467&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:46 UTC - 172.16.165.133:49173 - 37.200.69.87:80 - story.christophertawes.com - GET /index.php?req=xml&num=4797&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:47 UTC - 172.16.165.133:49173 - 37.200.69.87:80 - story.christophertawes.com - GET /index.php?req=jar&num=6704&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE
• 2014-10-04 00:29:48 UTC - 172.16.165.133:49175 - 37.200.69.87:80 - story.christophertawes.com - GET /index.php?req=mp3&num=479131&PHPSSESID=
  njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CZDYxYWNlYzQwZDU3NDM0MzMyOGE4ZmU0NDU5ZjM1ZjE

 

POST-INFECTION TRAFFIC:

• 2014-10-04 00:29:43 UTC - 172.16.165.133:49171 - 82.98.157.8:80 - msoluciona.com - GET /images/inicio/0210uk4.pdf
• 2014-10-04 00:29:44 UTC - 172.16.165.133:49172 - 82.98.157.8:80 - www.msoluciona.com - GET /images/inicio/0210uk4.pdf
• 2014-10-04 00:31:40 UTC - 172.16.165.133:49179 - 88.221.87.174:80 - www.download.windowsupdate.com - GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab

• 2014-10-04 00:29:53 UTC - 172.16.165.133:6616 - 66.51.128.43:3478 - STUN traffic to stun.voip.aebc.com
• 2014-10-04 00:30:27 UTC - 172.16.165.133:6616 - 77.72.169.155:3478 - STUN traffic to stun.voiparound.com
• 2014-10-04 00:30:45 UTC - 172.16.165.133:6616 - 77.72.169.154:3479 - STUN traffic to stun.voiparound.com
• 2014-10-04 00:31:03 UTC - 172.16.165.133:6616 - 203.183.172.196 - STUN traffic to s2.taraba.net
• 2014-10-04 00:31:21 UTC - 172.16.165.133:6616 - 203.183.172.212 - STUN traffic to s2.taraba.net (?)

• 2014-10-04 00:29:39 UTC - 172.16.165.133:49169 - 188.165.198.52:64078 - attempted TCP connection RST by server
• 2014-10-04 00:29:41 UTC - 172.16.165.133:49170 - 188.165.198.52:64078 - attempted TCP connection RST by server
• 2014-10-04 00:29:47 UTC - 172.16.165.133:49174 - 188.165.198.52:64078 - attempted TCP connection RST by server
• 2014-10-04 00:31:39 UTC - 172.16.165.133:49178 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:42 UTC - 172.16.165.133:49180 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:43 UTC - 172.16.165.133:49181 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:43 UTC - 172.16.165.133:49182 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:46 UTC - 172.16.165.133:49183 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:46 UTC - 172.16.165.133:49184 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:49 UTC - 172.16.165.133:49185 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:49 UTC - 172.16.165.133:49186 - 37.59.46.50:4443 - encrypted TCP traffic
• 2014-10-04 00:31:54 UTC - 172.16.165.133:49187 - 37.59.46.50:4443 - encrypted TCP traffic

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-04-Rig-EK-flash-exploit.swf
File size:  4.1 KB ( 4238 bytes )
MD5 hash:  1ca3694873a7975dc4a286e11799a004
Detection ratio:  2 / 54
First submission:  2014-10-02 07:51:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f0c210787ecd044c48792635998e4574a4c5abed1b150c02c62083b757b02f9/analysis/

 

JAVA EXPLOIT:

File name:  2014-10-04-Rig-EK-java-exploit.jar
File size:  9.2 KB ( 9380 bytes )
MD5 hash:  3fd18b6e0fb0f88d897fadbeae36c860
Detection ratio:  5 / 55
First submission:  2014-10-04 02:19:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4840f1d8a86e25528b4b6931d5cfa198b9afef5bd84c7544a81b6a706f405960/analysis/

 

MALWARE PAYLOAD (SAME AS EXTRACTED MALWARE FROM ZIP FILE):

File name:  document8621-79101_pdf.exe
File size:  44.5 KB ( 45568 bytes )
MD5 hash:  322cc3be1d5b0c41d707867146304d85
Detection ratio:  23 / 53
First submission:  2014-10-02 14:42:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ac7b3e1c679134d3b63793dc6df49f8467f387b78e17947a22b516636b89aed/analysis/
Malwr link:  https://malwr.com/analysis/YzFiYzhmZmEwOGRiNDcwMDg4NDRmODQ5YmFjNGQxZGI/

 

ZIPE FILE FROM THE WEB PAGE:

File name:  document8621-79101_pdf.zip
File size:  13.1 KB ( 13446 bytes )
MD5 hash:  c516abc8eb1acd38c57f3175032cb17c
Detection ratio:  26 / 55
First submission:  2014-10-02 14:40:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/39d8f256dcb91eab3c92dae72ab54fbb38157847336646ce23f26924f59a4b33/analysis/

 

FOLLOW-UP MALWARE:

File name:  junbc.exe
File size:  424.0 KB ( 434176 bytes )
MD5 hash:  27b8d15950022f53ca4ca7004932cf2b
Detection ratio:  21 / 54
First submission:  2014-10-02 18:44:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/286938569b92147be5ec50e06d4d7429eb442a751c0772cb57e146a0a1d0b489/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-10-04 00:29:11 UTC - 172.16.165.133:49160 - 177.55.108.130:80 - ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST (sid:2019321)
• 2014-10-04 00:29:13 UTC - 177.55.108.130:80 - 172.16.165.133:49160 - ET CURRENT_EVENTS suspicious embedded zip file in web page (sid:2019324)
• 2014-10-04 00:29:15 UTC - 172.16.165.133:49162 - 37.200.69.87:80 - ET CURRENT_EVENTS RIG EK Landing URI Struct (sid:2019072)
• 2014-10-04 00:29:16 UTC - 172.16.165.133:49159 - 177.55.108.130:80 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014 (sid:2019311)
• 2014-10-04 00:29:34 UTC - 37.200.69.87:80 - 172.16.165.133:49166 - ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File (sid:2018783)
• 2014-10-04 00:29:37 UTC - 172.16.165.133:49166 - 37.200.69.87:80 - ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 (sid:2018441)
• 2014-10-04 00:29:38 UTC - 37.200.69.87:80 - 172.16.165.133:49166 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 2014-10-04 00:29:40 UTC - 177.55.108.130:80 - 172.16.165.133:49168 - ET TROJAN Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014 (sid:2018182)
• 2014-10-04 00:29:43 UTC - 172.16.165.133:49171 - 82.98.157.8:80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
• 2014-10-04 00:29:43 UTC - 172.16.165.133:49171 - 82.98.157.8:80 - ET TROJAN Common Upatre Header Structure (sid:2018394)
• 2014-10-04 00:29:43 UTC - 172.16.165.133:49171 - 82.98.157.8:80 - ET MALWARE Suspicious User-Agent (update) (sid:2003583)
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity (sid:2017064)
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Java Exploit to Client (sid:2013961)
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (sid:2014526)
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs (sid:2016540)
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)
• 2014-10-04 00:31:39 UTC - 37.59.46.50:4443 - 172.16.165.133:49178 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014 (sid:2019320)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

• 2014-10-04 00:29:37 UTC - 172.16.165.133:various - 37.200.69.87:80 - [1:30936:3] EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (x5)
• 2014-10-04 00:29:38 UTC - 37.200.69.87:80 - 172.16.165.133:49166 - [1:30934:2] EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - [1:25562:4] FILE-JAVA Oracle Java obfuscated jar file download attempt
• 2014-10-04 00:29:47 UTC - 37.200.69.87:80 - 172.16.165.133:49173 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-10-04-Rig-EK-and-Upatre-traffic.pcap.zip
• ZIP of the malware:  2014-10-04-Rig-EK-and-Upatre-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.