Sponsored by..

Thursday, 8 January 2015

Malware spam: "Ieuan James" / "invoice EME018.docx"

So far this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment.

For example..

From:    Ieuan James
Date:    8 January 2015 at 07:25
Subject:    invoice EME018.docx

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: 7bit

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
        name="invoice EME018.doc";
        x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
        filename="invoice EME018.doc"
Content-Transfer-Encoding: base64

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB/AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaptVm1UAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAPk/AQD5PwEAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
[snipped for clarity]
Some assembly is required with this malware, but if you decode the Base64 area you get one of two different Word documents with VirusTotal detection rates of just 1/56 [1] [2]. These malicious documents contain one of two macros [1] [2] [pastebin] that download an additional component from one of the following locations:

http://ecovoyage.hi2.ro/js/bin.exe
http://mateusz321.cba.pl/js/bin.exe

This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55. The Malwr report for this shows that it connects to:

http://74.208.11.204/
http://129.215.249.52/qZXI6nYL8NLtqX6%3DZ/@mF6s4lFjMN4JSfB%2CVPutSGtX/6Ww_r5R%3FlP_ce2A
http://78.140.164.160/LL7yk@O6E/Qyiy/6yz%3Dzs18r/s4$rV

It also queries some other hosts, meaning that it looks like it attempts to connect home to:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
129.215.249.52 (Edinburgh University, UK)
78.140.164.160 (Webazilla, US)
37.1.208.21 (3NT Solutions LLP aka inferno.name, UK)
86.156.238.178 (BT, UK)

In addition, the Malwr report says that a malicious DLL is dropped with a detection rate of 2/56.

Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178

In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range.

For researchers, a copy of all the files is available here, password is infected.

3 comments:

Unknown said...

Morning Conrad
the easy way to get the malware doc with these is to save the email as a text file ( if using Outlook which saves as msg format)or as an eml file . Rename it as eml ( if needed) the drop the eml file onto winzip & it will extract the contents into a subfolder. That way you don't have to manually decode the base 64. One of the anti-virus analysts taught me that trick recently and saved me hours of mucking around with base 64 and decoding online or in malzilla

Unknown said...

Interested to know how this phishing e-mail with base64 encoded string will be executed in user's machine. User will not decode content.

@Derek:- Can you please explain the process of decoding e-mail more clearly.

Conrad Longmore said...

The Base64 segment will decode to a DOC file, which (if macros are enabled) will then download an EXE file from a remote server and execute it.

You would hope that anyone who recognises Base64 would also know that this was spam.

WinZip is clever enough to understand the Base64 encoding and can cope with it, else you will need a Base64 decoder program (there are many).

Really though, this is just an error by the spammers. I've seen similar malformed spam runs in the past, it seems they don't always check everything that closely. But since they're using stolen computer resources to do it, then they are probably not bothered.