Monday, 8 July 2013

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:     sendgrid.me

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid.net)

The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws.com/ft556/Document_948357853____.exe [https] (VirusTotal report) which then downloads a further executable from [donotclick]s3.amazonaws.com/mik49/ss32.exe [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.

ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.

The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost.net 177.185.196.130 (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to bit.ly/15aDtjB  which attempts to connect to an unregistered domain of www.mdaijdasid.com (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.

Quite what the second part of the malware does is unclear, and it may simply be that the mdaijdasid.com hasn't been registered quite yet but will be later. VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.

Recommended blocklist:
177.185.196.130
mssql.maurosouza9899.kinghost.net
mdaijdasid.com
s3.amazonaws.com/mik49/
s3.amazonaws.com/ft556/
bit.ly/15aDtjB

2 comments:

Ryan Harris said...

Hello,

SendGrid is aware of this malicious spammer using our system to carry out their payload. The spammer is using a partner of ours, Microsoft's Azure services, to sneak on through. We have been working with Azure's Fraud team to prevent this from happening again.

Sorry for the inconvenience and headache this has caused for the community.


Ryan Harris
Lead Abuse Engineer

Conrad Longmore said...

@Ryan Harris: cool, thanks. So it *was* a Microsoft IP!