Sponsored by..

Showing posts with label Pony. Show all posts
Showing posts with label Pony. Show all posts

Monday, 5 December 2016

Malware spam: "Shipping status changed for your parcel # 1996466" / ups@ups-service.com

This fake UPS spam has a malicious attachment:

From:    UPS Quantum View [ups@ups-service.com]
Date:    5 December 2016 at 17:38
Subject:    Shipping status changed for your parcel # 1996466

Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.

There must be someone present at the destination address, on the delivery day, to receive the parcel.

Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.

The delivery invoice  can be downloaded from our website :
https://wwwapps.ups.com/WebTracking/view_invoice?id=1996466&delivery_date=1204&account=[redacted]

 
Thank you for shipping with UPS

Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.

This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:

parkovka-rostov.ru/inst.exe
stela-krasnodar.ru/wp-content/uploads/pm22.dll

Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:

cothenperci.ru/borjomi/gate.php
madingtoftling.com/ls5/forum.php


Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia). The following malicious domains are also hosted on the same IP:

atiline.ru
vkplitka.ru
teunugtin.ru
cyrebsedri.ru
verarsedme.ru
cothenperci.ru
undorrophan.ru
verciherthan.ru
cypegeding.com
ferabrighrob.com
nastylgilast.com
madingtoftling.com


Recommended blocklist:
185.31.160.11
parkovka-rostov.ru
stela-krasnodar.ru


Monday, 18 April 2016

Malware spam: "Please do confirm the Quote Price and get back to me as soon as possible"

This fake financial spam leads to malware:
From: khlee@ahnchem.com sales
To
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price

Dear Sir

FYI,

Please do confirm the Quote Price and get back to me as soon as possible.

Regards
Sales Department
Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an executable ORDER LIST.exe which has a VirusTotal detection rate of 15/56. That same VirusTotal report indicates traffic to:

booksam.tk/pony/gate.php

This is hosted on:

46.4.100.109 (Hetzner, Germany)

That IP address might be worth blocking. The Hybrid Analysis indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be.

Thursday, 29 October 2015

Malware spam: "Documents for Review and Comments" / Pony / eyeseen.net

This fake document scan email has a malicious attachment:

From:    Sarah [johnson@jbrakes.com]
Date:    29 October 2015 at 08:27
Subject:    Documents for Review and Comments

Hi Morning,

Attached are the return documents.

Call me if you need anything.

See you soon. :)


Sarah
The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.

According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:

eyeseen.net/swift/gate.php

This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.

The payload is Pony / Fareit, which is basically a password stealer.

MD5s:
25a322b9ea5c709c4376bf58527f198a
efc7210f7dbce441f74e3c9f07f28a2e
79ca99c3f751ae334d0340284242e4f6