2017-01-05 - BRAZIL TARGETED MALWARE INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

NOTES:

• This is the same campaign I documented on 2016-09-21, 2016-08-30, and 2016-08-26.
• The campaign has continued since then, but I haven't documented a recent example until now.
• See the 2016-08-26 blog post for a list of my previous posts covering this threat actor.

ASSOCIATED FILES:

• 2017-01-05-Brazil-targeted-malware-infection.pcap.zip   1.3 MB (1,309,387 bytes)

• 2017-01-05-Brazil-targeted-malware-infection.pcap   (1,728,547 bytes)

• 2017-01-05-Brazil-malspam-20-examples.zip   37.2 kB (37,168 bytes)

• 2017-01-04-Brazil-malspam-1412-UTC.eml   (3,075 bytes)
• 2017-01-04-Brazil-malspam-1656-UTC.eml   (3,077 bytes)
• 2017-01-04-Brazil-malspam-2111-UTC.eml   (3,075 bytes)
• 2017-01-04-Brazil-malspam-2154-UTC.eml   (3,075 bytes)
• 2017-01-04-Brazil-malspam-2316-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0250-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0313-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0331-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0342-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0644-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0759-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0852-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-0956-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-1049-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-1201-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-1210-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-1218-UTC.eml   (3,074 bytes)
• 2017-01-05-Brazil-malspam-1358-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-1438-UTC.eml   (3,075 bytes)
• 2017-01-05-Brazil-malspam-1627-UTC.eml   (3,075 bytes)

• 2017-01-05-Brazil-targeted-malware-and-artifacts.zip   1.4 MB (1,400,812 bytes)

• 05012017HLiMHwQ9RfYE4G5KrDQR19Z6O4lHh828377.vbe   (548 bytes)
• Ionic.Zip.Reduced.dll   (253,440 bytes)
• JUNGLE-PC.aes   (16 bytes)
• JUNGLE-PC.zip   (1,087,252 bytes)
• JUNGLE-PCx.ocx   (440 bytes)
• SYSJUNGLEPC37.txt   (3,242 bytes)
• dll.dll.exe   (396,480 bytes)
• tmpB04B.tmp   (11,548 bytes)
• wimgwdfh.yim.vbs   (53,223 bytes)

 

EMAILS

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• From: NF-e <nfe@fsist[.]xyz>
• Subject: A NF-e (Nota Fiscal Eletronica) do seu pedido foi emitida

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• bit[.]ly - GET /2iLZYgQ - redirect from the link in the email (HTTPS)
• 187.17.111.98 port 443 - lavorocont.sslblindado[.]com - GET /sys/   [returns the malicious .vbs file]
• 65.181.112[.]240 port 80 - 65.181.112[.]240 - GET /bibi/w7.txt
• 65.181.112[.]240 port 80 - 65.181.112[.]240 - GET /bibi/aw7.tiff
• 65.181.112[.]240 port 80 - 65.181.112[.]240 - GET /bibi/W7.zip
• 65.181.112[.]240 port 80 - 65.181.112[.]240 - GET /bibi/dll.dll
• 65.181.112[.]240 port 80 - 65.181.112[.]240 - GET /bibi/dll.dll.exe
• 65.181.112[.]240 port 80 - www.devyatinskiy[.]ru - HTTP post-infection traffic
• 65.181.112[.]240 port 80 - api.devyatinskiy[.]ru - HTTP post-infection traffic
• 65.181.113[.]204 port 443 - ssl.houselannister[.]top - IRC traffic (botnet command and control)
• DNS query for: imestre.houselannister[.]top - response: 127.0.0.1

 

MALWARE

ARTIFACTS FOUND ON THE INFECTED HOST:

• Downloaded from the email link: 05012017HLiMHwQ9RfYE4G5KrDQR19Z6O4lHh828377.vbe

• C:\Users\george-of-the-jungle\AppData\Local\Temp\Java\dll.dll.exe
• C:\Users\george-of-the-jungle\AppData\Local\Temp\Java\Ionic.Zip.Reduced.dll
• C:\Users\george-of-the-jungle\AppData\Local\Temp\Java\JUNGLE-PC.aes
• C:\Users\george-of-the-jungle\AppData\Local\Temp\Java\JUNGLE-PC.zip
• C:\Users\george-of-the-jungle\AppData\Local\Temp\tmpB04B.tmp

• C:\Windows\System32\Java\Ionic.Zip.Reduced.dll
• C:\Windows\System32\Java\JUNGLE-PC.aes
• C:\Windows\System32\Java\JUNGLE-PC.zip
• C:\Windows\System32\Java\wimgwdfh.yim.vbs
• C:\Windows\System32\JUNGLE-PCx.ocx
• C:\Windows\System32\Tasks\SYSJUNGLEPC37

 

SHA256 HASHES FOR THE ARTIFACTS:

• d1faae74de1d15de0fc9ff900071b2c93e8829c16cf83d3c5b8d54f0c7f362ab - 05012017HLiMHwQ9RfYE4G5KrDQR19Z6O4lHh828377.vbe
• a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1 - Ionic.Zip.Reduced.dll
• 910dc2d1dd279269bbc44b0cade6309fe2134f6fd9d27a7dbb001d5becbac1dc - JUNGLE-PC.aes
• e68121b88cbb2ee953ecb9d71dbdbf3948f40564a31babb7825405a0af581a54 - JUNGLE-PC.zip
• 9e74abc443e40f22ff46f7897ff5bf600948128d9e04acd4a47ef972b75e3297 - JUNGLE-PCx.ocx
• 7198608af1fb82d3fbe17bbd58e93b97ab615245d467deba926e90a830799fa4 - SYSJUNGLEPC37.txt
• 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95 - dll.dll.exe
• 4de58ed6c0f43356af5f5f957b2adee3eb2f690c89e4201742499ca57b9b9482 - tmpB04B.tmp
• 372d9dc21f9c11c09c1aaee140e27af2d71e45ba326ac7ecfb635dbba2f5e765 - wimgwdfh.yim.vbs

 

ADDITIONAL INFO

Here are the links I saw from the emails:

• 1mACnzZm.h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz - GET/1Sunfe.php?1Sunfe=1mACnzZm[removed]
• DEma2Ar3.h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz - GET/5oWcpq.php?5oWcpq=DEma2Ar3[removed]
• KUQv28sr.h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz - GET/R1D6xA.php?R1D6xA=KUQv28sr[removed]
• Spm6K04J.h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz - GET/dh9VeW.php?dh9VeW=Spm6K04J[removed]
• SuFeZw5G.h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz - GET/Bb0aTe.php?Bb0aTe=SuFeZw5G[removed]
• X0Y6BwRr.h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz - GET/vX7jiO.php?vX7jiO=X0Y6BwRr[removed]
• 2uG3I3WM.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/VAPNI2.php?VAPNI2=2uG3I3WM[removed]
• 3H6pQOGu.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/5OslGe.php?5OslGe=3H6pQOGu[removed]
• 8aEbOeYF.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/wFF35I.php?wFF35I=8aEbOeYF[removed]
• FLFqnm8c.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/sjv2wV.php?sjv2wV=FLFqnm8c[removed]
• Fz8gXEaI.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/RgcO7I.php?RgcO7I=Fz8gXEaI[removed]
• qjiuRU9d.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/aV8vOF.php?aV8vOF=qjiuRU9d[removed]
• uJP003pF.iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz - GET/CVYj0t.php?CVYj0t=uJP003pF[removed]
• ruIAi0Qv.p4d4rjooop9njubdzanx0modrrewdn[.]xyz - GET/3hIwng.php?3hIwng=ruIAi0Qv[removed]
• UEpC0dzI.p4d4rjooop9njubdzanx0modrrewdn[.]xyz - GET/er9Dfp.php?er9Dfp=UEpC0dzI[removed]
• wWrkhgu5.p4d4rjooop9njubdzanx0modrrewdn[.]xyz - GET/4xu6rB.php?4xu6rB=wWrkhgu5[removed]
• af7LQRRd.x00mnmwvua7mi11z5ckhyqfn7qsf9t[.]xyz - GET/dKstM2.php?dKstM2=af7LQRRd[removed]
• qx1dTCLN.x00mnmwvua7mi11z5ckhyqfn7qsf9t[.]xyz - GET/XV1GAf.php?XV1GAf=qx1dTCLN[removed]
• L35n3BTe.x00mnmwvua7mi11z5ckhyqfn7qsf9t[.]xyz - GET/6sA4hF.php?6sA4hF=L35n3BTe[removed]
• 8ntrM8N7.x00mnmwvua7mi11z5ckhyqfn7qsf9t[.]xyz - GET/akj3Wu.php?akj3Wu=8ntrM8N7[removed]

 

Here are the base domains from the above URLs:

• h1sumslsrbtgqyezjlqenjge2ulr9a[.]xyz
• iy7jkiidp5xqcesvhhyeuoobwhbotu[.]xyz
• p4d4rjooop9njubdzanx0modrrewdn[.]xyz
• x00mnmwvua7mi11z5ckhyqfn7qsf9t[.]xyz

 

Those four domains were registered on 2017-01-02 with the following info:

• Sponsoring Registrar:  PDR Ltd. d/b/a PublicDomainRegistry[.]com
• Registrant name:  Soren Laderoute
• Registrant state/province:  Kiev
• Registrant country:  Ukraine
• Registrant email:  sorenladeroute@protonmail[.]com

Note:  fsist[.]xyz and jioapnllybzbexyxyyodecgbvuit16[.]xyz are also registered to Soren Laderoute with the same contact data.

 

When I pinged them today, all the above domains appeared to be hosted on 65.181.112[.]240.

• IP Address:  65.181.112[.]240
• IP Location:  US - Solar VPS
• ASN:  AS25653 FORTRESSITX - FortressITX, US
• Abuse email:  abuse@solarvps[.]com

 

Click here to return to the main page.