Tuesday, 5 November 2013

Latest UPS spam runs include exploits


Spam runs never get old. Whether you have received a package from UPS, FedEx or even PayPal notifications, they either lead you to (poorly crafted) phishing websites or malware (mostly Trojans like Zeus).

This afternoon I saw a tweet from one of my friends on Twitter:


Not many moments later I had received the mail in my inbox. Here's what it looked like:

UPS Delivery Notification Tracking Number : XLMBGBN855XLMBGBN581



















Mail seems to come from:
auto-notify@ups.com or
auto@ups.com

Obviously the mail is spoofed and is really coming from:
UPS@enviosuperfast.info or
Quantum@enviosuperfast.info or 
View@enviosuperfast.info 

Which traces back to:
192.123.32.83 - Result & 184.82.214.54 - Result

Attached is a file called:
invoiceU6GCMXGLL2O0N7QYDZ.doc
MD5: 7c2fd4abfe8640f8db0d18dbecaf8bb4
Malwr Report
Malware Tracker Report

Other file names are possible as well, but always follow the same format:
invoiceXXXXXXXXXXXXXXXXXX.doc, where XXXXXXXXXXXXXXXXXX is a random string of 18 characters. I haven't seen any other possibilities (yet).

What's this? It seems this is not the usual ZIP file with a piece of malware in, no, rather this .doc file is actually an .rtf file which contains an exploit. There's also a URL in the mail, which leads to the download of the exact same file. (so you're screwed either way - whether you download/open the attachment or the link - malware authors wanting to up their success rate may be a good reason for this "tactic".)

Submission to Malware Tracker revealed CVE-2012-0158

 Let's perform some static analysis as well. Using our favorite tool Notepad++:
Clues in yellow indicating it's indeed an .rtf file (font used: Calibri)
















What's happening exactly when we are trying to open this with Wordpad? I can tell you: you just see the same thing as is happening above with Notepad++.

When using OfficeMalScanner (downloadable here) it is being revealed there's a (vulnerable) OLE document embedded. There's an excellent post over at SANS here as well on the usage of this tool.

Unfortunately OfficeMalScanner was unable to automatically extract malicious shellcode, but after some manual work I was able to receive another file, which ultimately delivers another exploit.

We have now two working exploits (both are exploits for Office/.RTF files):
CVE-2012-0158
CVE-2010-3333


When I tried to open it this .RTF file with Microsoft Word 2010, Word crashed and the following happened...:
 

Word crashing & malicious process(es) spawning



















Those are an awful lot of REG.exe processes, right? In case you're wondering, REG.exe is a legit Microsoft file - or tool- to edit the registry.

A process called WINWORD.exe is present, but neither vendor or description name are mentioned.
MD5: e5e1ee559dcad00b6f3da78c68249120
Malwr Report

Obviously this isn't the legit Microsoft Word, as that application had crashed. The first time I was reproducing this exploit in the works, it also dropped another file. Unfortunately I was a bit too fast and forgot to take a copy of that sample as well. I was not able to reproduce the spawning or creating of the latter sample.

The malware creates persistence by:
  • injecting into explorer.exe
  • Creating a key as follows: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baebadcaacbfcbcdsacfsfdsf

It also recreates itself in:
  • %ApplicationData%
  • %CommonApplicationData%


It calls back to the following domains:
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
feeds.nsupdatedns.com
feed404.dnsquerys.com
static.invoice-appmy.com

... Which resolves to the following IP's:
158.255.2.60 - Result
118.67.250.91 - Result


The reason for these domain names are probably to fool network administrators who are possibly taking a peek at the packets passing through their appliance: "Oh, it's just for DNS queries." , one may think. Nothing's less true though.


Payload

The payload can vary in this case. According to VirusTotal results, it may be ransomware. I was unable to reproduce that kind of behaviour. I have feelings it may be a Bitcoin miner or simply Zeus/Zbot again. Kaspersky had apparently noticed the same campaign, in their sample it's a Brazilian banking Trojan. You can read that article here.



Prevention



 Disinfection

  • Look for suspicious Run keys (examples here) and delete the associated file(s).
  • Run a full scan with your installed antivirus product.
  • Run a full scan with another antivirus and/or antimalware product.
  • In a company: warn your network administrator immediately!


Conclusion

One might wonder if this is a so-called "APT" (Advanced Persistent Threat). I highly doubt that.

Though spammers and malware authors have tried the technique of attaching a malicious file or posting a link in the mail, I haven't seen them do that both very much. (exceptions being some awkward and poorly made viagra spam)

Using these exploits, it's clear they are prooftesting their possiblities. How many have fallen or will fall for this campaign? How much of these mails were sent out anyway? There's no sure way of knowing.

Follow the above prevention tips. If you're an antivirus or security company or researcher or just someone interested in this field, this may interest you:

7500198c94051785a68addc5f264a10f
7c2fd4abfe8640f8db0d18dbecaf8bb4
ad0ef249b1524f4293e6c76a9d2ac10d
e5e1ee559dcad00b6f3da78c68249120
By at
Labels:forex, iqoption, pubg Hacked , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)