ISC StormCast for Wednesday, June 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4511

Myfax malspam wave with links to malware and Neutrino exploit kit

Published: 2015-06-03
Last Updated: 2015-06-03 18:53:00 UTC
by Brad Duncan (Version: 1)
4 comment(s)

Introduction

As early as Wednesday 2015-05-27, there have been more waves of malicious spam (malspam) spoofing myfax.com.  On Tuesday 2015-06-02, the messages contained links to a zip archive of a Pony downloader.  Tuesday's messages also had links pushing Neutrino exploit kit (EK).  Spoofed myfax emails are nothing new.  They've been around for years.  This is yet another wave in the continuous onslaught of malspam that organizations face every day.

Background

Earlier on 2015-06-02, @Techhelplistcom tweeted about myfax malspam he'd found [1], and he posted links from these emails to pastebin [2].  

I noticed similar messages last week, but they were all blocked.  At that time, I wasn't able to investigate any further.  On 2015-06-02, checking my employer's spam filters revealed spoofed myfax messages were coming in again after a 3 day break.

Details

Below is an example of the messages blocked by my organization's spam filters on 2015-06-02:


Shown above: myfax-themed malspam from Tuesday, 2015-06-02

The above example shows 2 types of URLs.  The first points to a zip file.  The second points to URLs ending in fax.php that push Neutrino EK.  Last week's malspam only had links to the zip files.


Shown above: myfax-themed malspam from Thursday, 2015-05-28

In a lab environment, those links ending with fax.php returned HTML with iframes leading to Neutrino EK.

Unfortunately, I wasn't able to generate any Neutrino EK traffic.  The domain names for the Neutrino URLs didn't resolve in the DNS traffic.

We saw the following fax.php URLs from the malspam: 

  • chuotbu.com - GET /wp-content/plugins/feedweb_data/fax.php
  • www.faura-casas.com - GET /wp-content/plugins/feedweb_data/fax.php 

We also found the following URLs for zip files from the malspam: 

  • sv.com.vn - GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip
  • edenika.net - GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • edujay.com - GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • eciusda.org - GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • nightskyhotel.com - GET /wp-content/plugins/feedweb_data/incoming_myfax_doc.zip
  • sciclubtermeeuganee.it - GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip
  • serenityonthesquare.com - GET /wp-content/plugins/cached_data/pdf_efax_message_3537462.zip
  • vanepcanhcuong.com - GET /modules/mod_vvisit_counter/images/digit_counter/embwhite/pdf_efax_message_3537462.zip
  • www.ditta-argentiero.it - GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip

Here's what we saw in a lab environment when downloading the zip file, extracting the malware, and infecting a Windows host:


Click on the above image for a full-size view

Indicators of compromise (IOC) from the infection traffic:

  • 112.78.2.223 - nightskyhotel.com - GET /wp-content/plugins/feedweb_data/incoming_myfax_doc.zip HTTP/1.1 
  • 78.136.221.141 - moskalvtumane.com POST /gate.php HTTP/1.0 
  • 94.73.151.210 - mechgag.com - GET /wp-content/plugins/feedweb_data/k1.exe HTTP/1.0 
  • 87.250.250.8 - yandex.ru  - GET / HTTP/1.1 
  • 93.158.134.3 - www.yandex.ru - GET / HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /confk.jpg HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com-  POST /gate.php HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /confk.jpg HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - POST /gate.php HTTP/1.1 
  • 213.152.181.66 - dortwindfayer.com - GET /confk.jpg HTTP/1.1 

The image below shows Emerging Threats-based Snort events on the infection traffic using Security Onion.  The events indicate a Fareit/Pony downloader infected the lab host with Graftor or a Zeus/Zbot variant.

A sample of the Pony downloader was submitted to malwr.com at: https://malwr.com/analysis/ODExOWNlY2Y4N2QwNDhkNmE4YmFkODc2ODA3NzlkNDI/

A sample of the follow-up malware was also submitted to malwr.com at: https://malwr.com/analysis/OTc4MWY3OTdmZDZkNGYxMGJhNGRkMDAzOThlNmQ1NmI/

Post-infection traffic contains HTTP GET requests for a small image file with an image of Marlon Brando from the Godfather movies.  Matthew Mesa found some other URLs with (what I assume is) the same image [3].

The image contains some ASCII text for the last 1.4 KB or so of the file, which indicates steganography is being used to send some information to the infected host.

Final words

A pcap of the 2015-06-02 infection traffic is available at:

A zip file of the associated malware is at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

Special thanks to Techhelplist and Matthew Mesa for their Twitter posts about this activity.  Techhelplist also updated his blog entry about fake myfax emails with this recent information [4].

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://twitter.com/Techhelplistcom/status/605765844258287618
[2] http://pastebin.com/0WXz209K
[3] http://pastebin.com/x6U940wj
[4] https://techhelplist.com/index.php/spam-list/125-inbound-fax-fake-myfax-notification

Keywords:
4 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives