2018-10-19 - MALSPAM USING LINKS FOR ZIPPED WINDOWS SHORTCUTS TO PUSH NYMAIM

ASSOCIATED FILES:

  • 2018-10-18-malspam-pushing-Nymaim-email-example-2115-UTC.eml   (2,172 bytes)
  • 2018-10-19-malspam-pushing-Nymaim-infection-traffic.pcap   (5,651,077 bytes)
  • Resume.zip   (615 bytes)
  • resume.lnk   (1,646 bytes)
  • 1.hta.txt   (3,301 bytes)
  • ProgramData/fbl/bubava.cbs   (975,688 bytes)
  • ProgramData/fbl/ivwxurg.syn   (3,971 bytes)
  • ProgramData/fbl/tqxzwp.sre   (1,748 bytes)
  • ProgramData/unicode-52/unicode-60.exe   (977,920 bytes)
  • Users/username/AppData/Local/isotope-46/isotope-5.exe   (1,097,728 bytes)
  • Users/username/AppData/Local/Temp/cnkczp.nsc   (4,485 bytes)
  • Users/username/AppData/Local/Temp/dwqrj.yxl   (2,166 bytes)
  • Users/username/AppData/Local/Temp/ylsgo.yip   (974,596 bytes)
  • Users/username/AppData/Roaming/KDqnaJXTf.exe   (1,409,024 bytes)
  • Users/username/AppData/Roaming/shutdown-3/shutdown-42.exe   (1,138,688 bytes)

NOTES:


Shown above:  Flow chart for malspam-based Nymaim infections I've seen this month.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

EMAILS


Shown above:  Screenshot on an email from this campaign.

 

EMAIL HEADERS IN TODAY'S EXAMPLE:

Received: from [176.119.6.23] ([176.119.6.23:58056] helo=toyztreasure.com)
        by
[removed] (envelope-from <admin@toyztreasure.com>) [removed];
        Thu, 18 Oct 2018 17:15:42 -0400
Date: Thu, 18 Oct 2018 23:15:41 +0200
Subject: Job
Message-ID: <slxa2kf1m9a1oeou0z7szki3.1950423964464@toyztreasure.com>
From: Klara Mauger =?UTF-8?B?wqA=?= <admin@toyztreasure.com>
To:
[removed]
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--_com.android.email_9958201417653"
Errors-To: <bouncechecker@yahoo.com>

 


Shown above:  Clicking link on one of the emails to download Resume.zip.

 


Shown above:  HTA file retrieved by the extracted Windows shortcut.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

OTHER DOMAINS ON 209.141.43[.]75 REDIRECTING TO PUSH RESUME.ZIP FILES:

 

FILE HASHES

INITIAL MALWARE:

 

NYMAIM FOLLOW-UP BINARIES:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.