Tuesday, June 11, 2013

WellsFargo spam serving infostealing malware


Not that new, but still noteworthy the spammers seem to be abusing WelssFargo (an American bank) as trusted sender. This is simple mail spoofing.


Mail from "Georgina Franks"















Some example senders (where it seems to come from):
Evelyn_Piper@wellsfargo.com
Georgina_Franks@wellsfargo.com
Noe_Zavala@wellsfargo.com

As far as I could find, these email addresses do not even exist.

The mail itself is actually coming from the Pushdo botnet. Example IPs:

173.167.205.149 - IPVoid Result
209.181.66.178 - IPVoid Result

All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:







MD5: 47e739106c24fbf52ed3b8fd01dc3668
VirusTotal Report
Anubis Report
Malwr Report


This malware is known as Fareit (or Tepfer). According to Microsoft:
 Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.

When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:

List of programs it tries to extract username/password from




















So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:

Cyber Theft Ring details















































The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!



Conclusion
  • Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
  • Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running.
  • If you're in an organisation, you might want to block the following IPs (quite a long list):

    173.255.213.171
    5.199.171.133
    50.141.158.229
    62.149.131.162
    62.149.131.162
    69.115.119.227
    69.128.126.198
    76.226.112.216
    76.226.112.216
    78.140.131.151
    82.211.180.109
    89.122.155.200
    90.156.118.144
    95.241.244.184
    107.193.222.108
    107.211.213.205
    108.233.198.131
    108.240.232.212
    116.202.222.102
    142.136.161.103
    173.255.213.171
    188.217.207.224
    198.118.112.110
    211.209.241.213
    212.182.121.226
    108.254.22.166
    108.74.172.39
    112.78.142.66
    122.178.149.88
    173.194.67.105
    173.194.67.94
    173.201.59.32
    173.201.59.32
    173.254.68.134
    173.254.68.134
    178.40.101.100
    181.67.50.91
    182.68.130.230
    184.80.8.18
    187.153.52.160
    189.254.111.2
    190.153.51.122
    190.21.64.25
    199.30.90.80
    199.7.177.218
    2.180.24.120
    2.230.133.66
    200.180.176.65
    201.122.96.80
    201.245.14.237
    201.245.14.237
    207.204.5.170
    207.204.5.170
    216.227.73.207
    24.115.24.89
    24.120.165.58
    41.34.11.17
    65.131.15.62
    66.63.204.26
    68.162.220.34
    69.26.171.181
    69.77.132.197
    69.92.6.139
    71.43.167.82
    74.120.9.245
    74.125.24.105
    74.125.24.94
    74.240.17.144
    78.100.36.98
    78.152.96.70
    79.29.227.158
    79.52.113.31
    81.111.62.181
    83.172.126.39
    84.59.129.23
    84.59.138.75
    85.100.41.9
    87.29.153.193
    87.66.14.62
    87.66.14.62
    90.189.54.253
    91.236.245.22
    94.67.83.244
    94.67.83.244
    95.101.0.104
    95.249.114.32
    98.103.34.226
    98.67.162.178
    99.159.193.22
    99.36.163.147
    99.48.126.246
    99.5.234.38
    99.98.209.3
Note that these are IPs the malware communicates to. In most cases, they are harmful, but keep in mind some IPs might be legit, as the malware authors want to test for connectivity by connecting to Google for example. So, if you plan to block on IP, be sure to cross-check on IPvoid or DomainTools.

Stay safe.

2 comments:

  1. 64.4.10.33:123 is owned by microsoft and handles system clock sync, might want to remove that one :)

    ReplyDelete
    Replies
    1. Thanks for your comment! I've removed said IP.

      FYI, I didn't check any of the IPs, hence the note at the end ;-)

      Cheers!

      Delete