Tuesday, September 3, 2013

PayPal spam leads to malware cocktail



Interesting spammail in one of the traps today, something wrong with your variables, malware authors? :-)

Subject: With your balance was filmed - 300 $ -Resolution of case #PP-025-851-848-207













Content of email:
ID

Transaction: {figure } {SYMBOL }

With your balance was filmed : - 500 $

                                                           -20 $

                                                           -49 $
---------------------------------------------------------------------

Balance is:                                      625 $

For more information, please see page View all history

Sincerely,

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT }


From:  service@int.paypal.com
Source IP: 96.10.192.31 - IPvoid Result
Botnet: Cutwail spambot

Malicious URL (active):
hXXp://dailyreport.cffy88.com/project/index.htm 


WhoIs information:
Domain Name ..................... cffy88.com
Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.
Name Server ..................... dns29.hichina.com && dns30.hichina.com
Registrant ID ................... hc590857663-cn
Registrant Name ................. vinson luk
Registrant Organization ......... shenzhenshi caifufengyun keji youxian gongsi
Registrant Address .............. Rm.3-33C Dijingfeng Maoyecheng Dafen Buji, Longgang District
Registrant City ................. shenzhen
Registrant Province/State ....... guangdong
Registrant Postal Code .......... 518000
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.075533572855 
Registrant Fax .................. +86.075584153080 
Registrant Email ................ vinsonluk@hotmail.com

More malware is hosted on cfyy88.com as well, including a ZIPfile which is currently empty. (Error from the malware authors? Uploaded too soon, dropper just not included yet?)

Related websites:
hXXp://erpii.cn/
hXXp://jiami99.com/
hXXp://verp.cc/
hXXp://greatempire.cn/

Hosted on: 211.154.134.171 - IPvoid Result 


Interesting login page











Other screenshots:

















The link from the spammail loads malicious JAR file:
MD5: 6b872d170e878ab3749d717cbba5d0e3
VirusTotal Result
Exploit-Analysis Result

Exploit-Analysis is a new service and looks very promising, besides doing the basic stuff (meta-data dump, strings, tcpdump, ...) you can also view the entropy of the malware, as well as choosing browsertype and Java/Flash/Adobe version. In particular for JAR files, it can also display the classes included and thus can be used to analyze a malicious Jar file online (you can do this offline with JD-GUI for example).

From their website:
Sandy developed under Indian Honeynet and is capable of doing both static and dynamic analysis of Malicious Office, Jar,HTML files at the moment.


Continuing with our findings, the following files were downloaded & dropped to the system:
about.exe    098e44145840862b9488be395c860110   
index.html   325a20d15d66e5a78878da2ff579a715   
readme.exe  523a813fa43744673bdb537d778d0e3f   
w8BDM.exe   5c840a17dcee119cf40a3636971de65c   
able_disturb_planning.jar   6b872d170e878ab3749d717cbba5d0e3   
tixy.exe      82f1d0ed26012f0883cb6017aa8fb671   
able_disturb_planning.php  be3db7ef10eca3a21878cbad80eb5f2d   
pythias.js   d60b2df2b5c6c1ef083766cba29b60d2   
JpVsf.exe   f804ad6fe5b2a0ae3078703fdc112e29   


Besides the usual infostealers (Zbot, Fareit, etc.), Medfos is saying "hello" as well:
Win32/Medfos is a family of trojans that install malicious extensions for Internet browsers and redirect search engine results. It also allows for click-fraud, generating profit for a website through unethical means.
Source: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Medfos



Conclusion


  • Don't click on links from unknown senders.
  • Don't open any attachment(s) of unknown senders. 
  • In fact, don't even open mail from unknown senders.
  • Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
  • Install an antivirus and antimalware product and keep it up-to-date & running.
  • When in doubt, visit the website of §vendor or §product or §service directly.
  • Block the IPs mentioned above in your firewall or hostfile or §solution.
  • I almost forgot: uninstall Java.



1 comment: