Spam

Dissecting SmokeLoader (or Yulia's sweet ass proposition)

In mid-August I started receiving some emails from Yulia. She wanted me to take a look at her sweet ass:
 

 

I was not sure about it, but after receiving some more emails like this I took a look (I received the last one on the 10th of September). Then I found out that this was the beginning of a SmokeLoader campaign, I was really disappointed :( Out of spite, I started analyzing it ;p

These are some of the headers and the message body:
 

Date:   Wed, 13 Aug 2014 12:55:56 -0400
From:   "Yulia" <negligentjsd185@dialectologic.in>
Subject: My new  photo

Hi it is Yulia fuck me ass at night. Look at my sweet ass on a photo I wait for you

 
I don't want to duplicate the information already published about this loader, so you can check the post published in July by StopMalvertising and what my colleague Michael Sandee said about it in 2012. Since then, SmokeLoader (known as Dofoil too) has modified the encryption to communicate with the C&C, added some extra plugins, etc.

After executing the binary you can easily spot that something is happening in your computer because you can see some strange POST requests to some known URLs. These URLs are extracted from the registry, opening the key Software\Microsoft\Windows\CurrentVersion\Uninstall and looking at the values of HelpLink and URLInfoAbout for the installed programs.  

Spammed CVE-2013-2729 PDF exploit dropping ZeuS-P2P/Gameover

I am used to receive SPAM emails containing zips and exes, even "PDF files" with double extension (.pdf.exe), but some days ago I received an email with a PDF file attached, without any .exe extension and it didn't look like a Viagra advertisement. Weird. I didn't have time to take a look at it, but the next day I received another one, with a different subject. The subject of the first email was “Invoice 454889 April” from Sue Mockridge (motherlandjjw949 at gmail.com) attaching “April invoice 819953.pdf” (eae0827f3801faa2a58b57850f8da9f5), and the second one “Image has been sent jesparza” from Evernote Service (message at evernote.com, but really protectoratesl9 at gmail.com) attaching “Agreemnet-81220097.pdf” (2a03ac24042fc35caa92c847638ca7c2).

 

cve-2013-2729_invoice_email

 

cve-2013-2729_evernote_email

 
At this point I was really curious so I took a look at them with peepdf.
 

cve-2013-2729_peepdf_error

 

Advertisement network installing Android FakeAV (Mobile Defender)

One month ago I was trying to find a streaming site to watch a Spanish soccer match and I found futbolenvivoaldia.com. It was a redirection to the famous site Tarjeta Roja, but the interesting thing was that when I browsed the site with my mobile phone I saw the typical Antivirus scanner saying that my device was infected. Also, an app called “androidav_free.APK” (24f0a666a714e26c6c07ab407e37b112) was trying to be downloaded to my device.
 

 
The source of this fake page was one of the advertisement networks of the site tarjetaroja.eu, Mobicow. After some redirections and some tracking URLs this network was returning the following URL to the user's browser:
 

hxxp://cleanupnowonline10.biz/?u=Y0vbAf0fW9lIhVAxPi2nZQo

 
This page was loading Javascript code from here:
 

hxxp://cleanupnowonline10.biz/js/wapc.js

 
The code was obfuscated and this was the second stage of Javascript code:
 
 
Taking a look at the script content we can see that it contains all the functions necessary to show the  fake infection page to the user. Also, we can see that the following URL was used to download the app:
 

hxxp://cleanupnowonline10.biz/apk.php

 

Styx Exploit Kit installing Simda

I was already missing these SPAM emails with some advice about my sexual life: “Your woman wants you to be the best lover”, “The greatest technique to gratify your lady”, etc. I was getting upset about this, I needed some help...;p
 

Styx Spam email

 
So finally I am receiving a lot of these again. After visiting the link (hxxp://goozix.com/its.html) we can see a redirection to a page to buy Viagra and other “medicines”. But also there is some malicious Javascript code hidden there. The result of the deobfuscation contains code to create a cookie (“visited_uq=55”) and also an iframe to load the URL hxxp://gylaqim.com/exit.php. This domain, created on the 21st of September, resolves each time to a different IP and has a history of more than 400 IPs. It has 6 authoritative DNS servers, ns*.gylaqim.com, also resolving to multiple IPs.

Depending on the server which is responding after visiting hxxp://gylaqim.com/exit.php we will be redirected to another initial page - with another redirection to a Viagra site plus malicious Javascript code -  or to the actual exploit kit.

The initial pages seen until the moment are the following:
 

hxxp://178.170.104.124/destruction.html
hxxp://178.170.104.124/seed.html
hxxp://actes-lyon.org/true.html
hxxp://aybabtu.ru/express.html
hxxp://brave.net.nz/ocean.html
hxxp://goozix.com/its.html
hxxp://moniwild.sakura.ne.jp/average.html
hxxp://rodinr.511.com1.ru/angle.html
hxxp://southeasterntrains-fail.com/somewhere.html
hxxp://toys-store.net/dawn.html

The Boston Marathon bombings, RedKit and a malware zoo

Just some hours after the bombings during the Boston Marathon we already had several spam campaigns using that subject to infect users. It seems that cybercriminals don't respect anything, did we really expect something different? :p

On the past Wednesday I received four emails talking about the Boston incident. They were really suspicious, just a URL in the body, the URLs had just an IP instead of a good domain...I think someone was in a rush trying to profit from this as soon as possible, while it was still on the news...
 

 
The subjects were:
 

BREAKING - Boston Marathon Explosion 
Explosion at the Boston Marathon
Aftermath to explosion at Boston Marathon
Explosions at the Boston Marathon

 
And the URLs I saw:
 

hxxp://94.28.49 .130/boston.html 
hxxp://78.90.133 .133/boston.html
hxxp://118.141.37 .122/news.html
hxxp://110.92.80 .47/news.html

 
These URLs leaded to a simple webpage with six iframes. Five of them pointed to real videos about the tragedy and the other one redirected to a RedKit exploit kit which was trying to exploit a CVE-2012-1723 Java vulnerability (take a look at the vulnerability explanation). Also, a Meta Refresh Tag was leading to this URL:
 

Yet another Oficla email campaign (CV)

This time I've received a nicer e-mail, a woman sending me her CV!! with a picture of her included too!! :) In fact, she has included in the image some words too, a bit strange...

Again the same actors: Oficla and ZeuS. This time not Feodo downloading. Inside the zip file we can find the Oficla sample, with a medium detection rate. It connects with the domain showtimeru.ru (now it's down) to ask for URLs to download more malware:

http://showtimeru.ru/show/bb.php?v=200&id=428308300&b=0711_e&tm=6832
[info]runurl:http://1xx.1xx.1xx.46/test/esmilk.exe|taskid:8|delay:15|upd:0|backurls:[/info]

The server response contained the same URL (active yet) as the DHL campaign, downloading the same version of ZeuS, different MD5.

Beware with women!! they are not trustful!! ;)

DHL e-mail campaign downloading ZeuS and Feodo

This past month a new DHL campaign has been spreading malware in a zip file. The executable in the zip was identified (with a high detection rate) as Oficla by the Antivirus engines. This malicious code, with filename DHL_Etiqueta.exe, acts as a downloader asking a server the URLs it must use to download the other malicious files. It always uses in the requests the User-Agent Opera\9.64. These are the requests and responses in this case:

http://xxxxxx.ru/mydog/bb.php?v=200&id=428308299&b=2510_dhl&tm=1397
[info]runurl:http://1xx.1xx.1xx.xx/test/morph.exe|taskid:16|delay:15|upd:0|backurls:[/info]

http://xxxxxx.ru/mydog/bb.php?v=200&id=428308299&tid=16&b=2510_dhl&r=1&tm=1397
[info]kill:0|runurl:http://1xx.1xx.1xx.xx/test/esmilk.exe|taskid:17|delay:15|upd:0|backurls:[/info]


Both of the downloaded files, morph.exe and esmilk.exe, are banking trojans. The former is a sample of Feodo, with a low detection rate (7/41), which downloads the configuration file from a server after sending to it a POST request:

Syndicate content