From: UPS Quantum View [ups@ups-service.com]The link in the email actually goes to a URL vantaiduonganh.vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain.
Date: 5 December 2016 at 17:38
Subject: Shipping status changed for your parcel # 1996466
Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.
There must be someone present at the destination address, on the delivery day, to receive the parcel.
Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
The delivery invoice can be downloaded from our website :
https://wwwapps.ups.com/WebTracking/view_invoice?id=1996466&delivery_date=1204&account=[redacted]
Thank you for shipping with UPS
Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.
This DOC file contains a malicious macro, the Malwr report indicates that it downloads components from:
parkovka-rostov.ru/inst.exe
stela-krasnodar.ru/wp-content/uploads/pm22.dll
Those two locations are legitimate hacked sites. This has a detection rate of 7/56 plus a DLL with a detetion rate of 37/56. The malware appears to be Hancitor / Pony / Vawtrak, phoning home to:
cothenperci.ru/borjomi/gate.php
madingtoftling.com/ls5/forum.php
Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia). The following malicious domains are also hosted on the same IP:
atiline.ru
vkplitka.ru
teunugtin.ru
cyrebsedri.ru
verarsedme.ru
cothenperci.ru
undorrophan.ru
verciherthan.ru
cypegeding.com
ferabrighrob.com
nastylgilast.com
madingtoftling.com
Recommended blocklist:
185.31.160.11
parkovka-rostov.ru
stela-krasnodar.ru
2 comments:
Also of note is the attacker is using a "visitor.txt" file that is always stored in the same directory as the malicious document is stored in. It contains the email that was sent as a base64 encoded parameter for the link, the document name the person should have received and the IP Address of the visitor. Every site the malicious documents have been stored on has this document. The file originally only contained email and IP Addresses, but recently evolved to include the document name.
Also, of important note thus far the Virustotal comments from a user named techhelplist has been right on the money so far in listing the c2 domains, stage 2 domains, document checking locations, etc.
Post a Comment