It begins with a simple fake fax message..
From: MyFax [no-replay@my-fax.com]There are *lots* of these download locations, the ones I have personally seen are:
Date: 8 January 2015 at 17:11
Subject: Fax #6117833
Fax message
http://raffandraff.com/docs/new_fax.html
Sent date: Thu, 8 Jan 2015 17:11:53 +0000
http://381main.com/docs/new_fax.html
http://blustoneentertainment.com/docs/new_fax.html
http://claimquest123.com/docs/new_fax.html
http://www.drhousesrl.it/docs/new_fax.html
http://dutawirautama.com/documents/message.html
http://espaceetconfort.free.fr/docs/new_fax.html
http://netsh105951.web13.net-server.de/docs/new_fax.html
http://njstangers.org/docs/new_fax.html
http://patresearch.com/docs/new_fax.html
http://powderroomplayground.com/docs/new_fax.html
http://prosperprogram.org/docs/new_fax.html
http://pyramidautomation.com/docs/new_fax.html
http://raffandraff.com/docs/new_fax.html
http://regimentalblues.co.uk/docs/new_fax.html
http://rewelacja.eu/docs/new_fax.html
http://stamfordicenter.com/docs/new_fax.html
http://stylista.com.cy/docs/new_fax.html
http://win.org.ro/docs/new_fax.html
Each one of these pages contains a script that looks like this:
<!DOCTYPE html>So far, so good. But the scripts seem insane, like this one.
<html>
<head>
<title>Page Title</title>
<script type="text/javascript" src="http://girardimusicstudio.com/js/jquery-1.7.50.js"></script>
<script type="text/javascript" src="http://blackstonebikes.co.uk/js/jquery-1.7.50.js"></script>
</head>
<body>
</body>
</html>
It looks a bit like Brainfuck but in fact it is something called jjencoding which I confess is way beyond my limited Javascript skillz. No worries, I used the code at this Github repository to decode it, and that leads to this script.
Now, this script passes some browser variables to the next step (described here, I won't reinvent the wheel), and if you have all your ducks in a row you might get a "Read message" link.
The download link looks something like this - http://stylista.com.cy/js/jquery-1.7.50.js?get_message=2151693229 - which in this case downloads the curiously named file "message.zip ;.zip ;.zip ;" which contains a file fax_letter_pdf.exe which is of course malicious.
Now, it's worth pointing out that there is strong evidence that the EXE-in-ZIP file downloaded here has several different version. In this case it has a VirusTotal detection rate of 3/56. I have seen at least two other MD5s though, I think each download site might have a different variant.
The Malwr report for this binary takes us a little deeper down the rabbit hole. We can see that it communicates with the following URLs:
http://202.153.35.133:48472/0801us1/HOME/0/51-SP3/0/
http://202.153.35.133:48472/0801us1/HOME/1/0/0/
http://masterelectric.net/mandoc/1001.pdf
It also drops a file EXE1.EXE which has a detection rate of 4/56. That analysis indicates that the payload is the Dyreza banking trojan.
All this seems like a lot of effort to drop a ZIP file with a funny name, but it does go some way to obfuscating the payload.
No comments:
Post a Comment