2015-02-02 - CHANITOR ACTIVITY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-02-02-Chanitor-infection-traffic.pcap.zip
• 2015-02-02-Chanitor-malware.zip

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: "LogMeIn[.]com" <no-reply@logmein[.]com>
Date: Monday, February 2, 2015 at 8:20 AM CST
To:
Subject: LogMeIn Promo Code - Get 50% off your next purchase

Dear client,

In early January 2015, we have launched new versions of LogMeIn Central designed to deliver improved security to our customers.
For security reasons, every account must be updated to one of the new LogMeIn Central interfaces ( Central Basic , Central Plus , Central Premier ).

Coupon codes have been awarded to our clients, in order to encourage early subscription to the new interface.

Your account has been selected for a 50% discount on your next LogMein purchase.
The coupon code ( valid for 3 days ) and instructions on how to use it have been included in the attached document.

For more information regarding the new LogMeIn Central , visit our blog :
hxxp[:]//blog.logmein[.]com/it-management/year-central

Thank you for choosing LogMeIn

Attachment:  logmein_coupon_code.doc (49.7 KB)

 

TRAFFIC FROM INFECTED VM

ASSOCIATED DOMAINS:

• 146.185.213[.]35 port 80 - 146.185.213[.]35 - HTTP GET request by the malicious document for malware
• 194.150.168[.]70 port 443 - ho7rcj6wucosa5bu.tor2web[.]org - encrypted tor2web traffic

 

TRAFFIC SEEN:

• 2015-02-02 16:17:13 UTC - 146.185.213[.]35 - GET /upd/install.exe
• 2015-02-02 16:18:03 UTC - HTTPS traffic to:  api.ipify[.]org (checks the IP address of the infected host)
• 2015-02-02 16:18:04 UTC - HTTPS traffic to:  ho7rcj6wucosa5bu.tor2web[.]org

 

ALERTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• DNS query for: ho7rcj6wucosa5bu.tor2web[.]org - ETPRO TROJAN Win32/Chanitor.A .onion Proxy domain lookup (sid:2809214)
• 194.150.168[.]70 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)

Talos (Sourcefire VRT) ruleset from Snort 2.9.7.0 on Debian 7:

• 146.185.213[.]35 port 80 - [1:11192:16] FILE-EXECUTABLE download of executable content)
• 146.185.213[.]35 port 80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected)
• DNS query for: ho7rcj6wucosa5bu.tor2web[.]org - [1:33216:1] INDICATOR-COMPROMISE DNS request for known malware domain tor2web[.]org)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  logmein_coupon_code.doc
File size:  37,689 bytes
MD5 hash:  972751827473ecfdb959c2233a67bdb8
Detection ratio:  2 / 57
First submission:  2015-02-02 15:19:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/df7f7f8662300996ab1956fafdf04ab6b18e9f8a7d84d6e36c23b58bbcf84f0c/analysis/

 

DROPPED MALWARE:

File name:  winlogin.exe
File size:  126,464 bytes
MD5 hash:  4f27da033ca92c28576be5270b923128
Detection ratio:  1 / 57
First submission:  2015-02-02 16:03:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4e10f46a37f0168c16a5b09d8e7f3934bcddc4411b34916d8497ec1a7e52a9fc/analysis/

 

Click here to return to the main page.