From: cm_sharpscan@yahoo.co.ukThe attachment is meant to be in the format username@domain.tld_201601151152_097144.doc but due to an apparent error in the MIME formatting, saving it results in a file in the format _username@domain.tld_201601151152_097144.doc_ 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA.doc_0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7_CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA instead
Date: 15 January 2016 at 10:12
Subject: Scanned image from MX-2640N
Reply to: cm_sharpscan@yahoo.co.uk [cm_sharpscan@yahoo.co.uk]
Device Name: Not Set
Device Model: MX-2640N
Location: Not Set
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned image in Microsoft Word format.
The next problem for the bad guys is that they have added a leading space to the Base 64 encoded section with the attachment in. This means that unless the mail client somehow fixes the error, the attachments are harmless (VirusTotal results [1] [2] [3] [4]).
Now, not many people are going to wade in and fix the malicious attachments, but I did and I got three unique files (VirusTotal results [1] [2] [3]).
Analysis of these documents is pending, but the payload is probably meant to be the Dridex banking trojan.
UPDATE
I managed to coax a Hybrid Analysis of two of the documents [1] [2] showing download locations of:
nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe
This executable is the same one dropped in this spam run. It currently has a VirusTotal detection rate of 6/54.
Ironically, that Ukrainian site is on 91.217.91.18 (PE Ivanov Vitaliy Sergeevich, Ukraine) and it is the only time I have seen a legitimate site in the block.. and it has been hacked. In any case, I would recommend blocking the entire 91.217.90.0/23, legitimate sites or not.
Those two Hybrid Analysis reports give a whole bunch of callback IPs between them:
88.208.35.71 (Advanced Hosters B.V., NL)
216.117.130.191 (Internet Technologies Inc., US)
116.12.92.107 (Lanka Comunication Services, Sri Lanka)
46.32.243.144 (Heart Internet VPS, UK)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
161.53.144.25 (Veleuciliste U Sibeniku, Croatia)
41.38.18.230 (TE Data, Egypt)
Despite the fact that the attachments aren't working, I would expect to see those IPs in use for other badness and I would recommend blocking them.
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
6 comments:
sample a points to http://149.156.208.41/~s159928/786585d/08g7g6r56r.exe
sample b points to http://nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
sample c points to http://arm.tv/786585d/08g7g6r56r.exe
files are all the same
I just got it on my professional email account. Thanks for the information
Is it possible to provide steps on how to decode the attachment and recreate the proper attachment?
Post a Comment