From: Australian Taxation Office [noreply@ato.gov.au]The names and the numbers change from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent.com (e.g. https://www.cubbyusercontent.com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download.
Date: 1 April 2015 at 00:51
Subject: Australian Taxation Office - Refund Notification
IMPORTANT NOTIFICATION
Australian Taxation Office - 31/03/2015
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
To view/download your tax notification please click here or follow the link below :
https://www.ato.gov.au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
Laurence Thayer, Tax Refund Department Australian Taxation Office
In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57.
Automated analysis tools [1] [2] [3] [4] [5] show that it downloads components from:
ebuyswap.co.uk/mandoc/muz3.rtf
eastmountinc.com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip.dyndns.org. Although this is benign, monitoring for it can be a good indicator of infection.
These URL requests are typical of the Upatre downloader.
According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55 plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap.co.uk
eastmountinc.com
No comments:
Post a Comment