From "Transport for London" [noresponse@cclondon.com]The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56 and 1/57. These two Hybrid Analysis reports [1] [2] show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:
Date Thu, 20 Aug 2015 17:04:26 +0530
Subject Email from Transport for London
Dear Customer
Please open the attached file(7887775.zip) to view correspondence from Transport
for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost
from the Adobe Website www.adobe.com
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly
confidential and may be legally privileged. If you are not the intended recipient
any reading, dissemination, copying or any other use or reliance is prohibited. If
you have received this email in error please notify the sender immediately by email
and then permanently delete the email.
93.185.4.90:12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90:12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you block it.
Those Hybrid Analysis reports also identify some botnet IPs and dropped files, which I suggest that you study if interested.
No comments:
Post a Comment