Sponsored by..

Showing posts with label Cerber. Show all posts
Showing posts with label Cerber. Show all posts

Monday 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--

*Sophia Passmore*


Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

--
*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:
46.4.91.144
119.28.100.249

Thursday 19 January 2017

Malware spam: "The Insolvency Service" / "Investigations Inquiry Notification" / chucktowncheckin.com / chapelnash.com

This malware spam in unusual in many respects. The payload may be some sort of ransomware [UPDATE: this appears to be Cerber].

From: The Insolvency Service [mailto:service@chucktowncheckin.com]
Sent: 19 January 2017 12:22
Subject: EGY 318NHAR12 - Investigations Inquiry Notification



Company Investigations Inquiry
Informing You that we have received appeal regarding your company which indicates corporate misconduct.
Your Inquiry Number: 84725UPTN583
As part of this occasion we have made our own background investigation and if it occurs to be in the public interest, we can apply to the court to wind up the company and stop it trading.
Also if the performance of the director(s) who run the company is questionable enough, we can commence proceedings to disqualify them from governing a limited company for a time span up to 15 years.
FURTHER CASE DATA
The investigation can give us information that we can transmit to another regulatory body that has more suitable powers to deal with any concerns the investigation uncovers.
Help Cookies Contact Terms and conditions Rhestr o Wasanaethau Cymraeg
Built by the Government Digital Service
All content is available under the Open Government Licence v3.0, except where otherwise stated   
© Crown copyright

Sample subjects are:

LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice

All the senders I have seen come from the chucktowncheckin.com domain. Furthermore, all of the sending servers are in the same /24:

194.87.216.87
194.87.216.62
194.87.216.40
194.87.216.43
194.87.216.3
194.87.216.7
194.87.216.80

All the servers have names like kvm42.chapelnash.com in a network block controlled by Reg.ru in Russia.

The link in the email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect.com e.g. 2vo4.uk-insolvencydirect.com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:


Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js) that looks like this [Pastebin].

Hybrid Analysis of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool).

The script downloads a component from www.studiolegaleabbruzzese.com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53.

Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:

soumakereceivedthiswith.ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor.ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource.ru (does not resolve)
maytermsmodiall.ru (does not resolve)

It isn't exactly clear what the malware does, but you can bet it is Nothing Good™.

I recommend that you block email traffic from:

194.87.216.0/24

and block web traffic to

uk-insolvencydirect.com
studiolegaleabbruzzese.com
176.98.52.157
151.0.42.255



Monday 3 October 2016

Malware spam: "I have shipped your packet. Please check the report enclosed here to view more info."

This spam email leads to Cerber ransomware:

From:    Trevor David
Date:    3 October 2016 at 13:46
Subject:    Pede Industries

Hello
I have shipped your packet. Please check the report enclosed here to view more info.

Word doc password: JqpcGrKK9


Pede Industries
Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:

www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc

The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.

Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.

Wednesday 8 June 2016

Malware spam: "Good morning" résumé spam drops Cerber ransomware and makes a statement

This fake résumé spam leads to malware:

From:    Dora Bain
Date:    7 June 2016 at 03:37
Subject:    Good morning

What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.

With gratitude,

--
Dora Bain
In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..


This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe  which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.

The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.

According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.

That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.

Recommended blocklist:
80.82.64.0/24
85.93.0.0/24