I noticed the following tweet pass by on Twitter:
Just received my 1st-ever digitally signed piece of spam. The ribbon is bound to entice someone 2 click on the email pic.twitter.com/470TpdaPDE— Robert (Роберт) (@RobertIdAu) November 9, 2015
The mail received is as follows:
|Spam but digitally signed|
As Robert correctly notes, since the mail is digitally signed, it may entice people more to open the attachment and get infected. In case you're wondering, the key id of the certificate is as follows:
FE:22:B7:24:E3:4F:27:D9:05:E0:CC:B8:BD:DE:F4:8D:23:FD:2F:D9 (copy of cert on Pastebin)
Issuer: C=IT, O=DigitPA, OU=Ufficio interoperabilita' e cooperazione, CN=DigitPA CA1
|Signature details. S/MIME message format|
Both first and second mail are coming from: 126.96.36.199 - IPvoid - Whois (DomainTools)
|IP location: Singapore (VirusTotal)|
On to the attachment (the .xml file is harmless):
This recalculation of payments for the last month.
I remind you of your debt 3148,48 AUD.
Please pay as soon as possible.
It fetches a file from: 188.8.131.52 - IPvoid - Whois (DomainTools)
|IP location: Korea (VirusTotal)|
The eventual payload may be Andromeda/Gamarue, which will make your machine part of a botnet. Some information on the dropped DLL file (this is all static analysis):
Size: 495630 bytes
Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Date: 0x429CE7C3 [Tue May 31 22:40:03 2005 UTC]
EP: 0x1000bddb .text 0/5
CRC: Claimed: 0x0, Actual: 0x83498 [SUSPICIOUS]
Packers: Armadillo v1.xx - v2.xx
|Functions in our DLL file|
You may also find the file on VirusTotal, SHA1 hash: e90b6e45f255350d0fd4cba361a09ad5d8271af1
There's also an analysis available by Reverse.it (Hybrid Analysis) on Windows 7 32bit & Windows 7 64bit. Feel free to perform any additional research on it, let me know if you find something interesting or should you find out exactly which kind of malware this is.
Just as a note, while all that is happening in the background, a decoy PDF file gets opened as well, as to not raise suspicion:
|Decoy PDF document (not malicious)|
- Sender's end: Create an SPF record, as to prevent sender address forgery. More on SPF here.
- Receiver's end: Turn on SPF checking on your mailserver.
- If possible, turn on full support for DMARC. More on DMARC here.
- Check that only your mailserver may access the WAN (or RED) on port 25. Configure this in your firewall.
- Check that you use strong passwords for your Domain Controller server(s).
- Check that antivirus is installed, up-to-date and running on all workstations. (if applicable)
- Don't open attachments from unknown senders - ever.
- Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files.
- Preferably, see that your antivirus has a firewall as well, to prevent unauthorised access.
- Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
- Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.
- Look for suspicious Run keys (find locations here) and delete the associated file(s).
In our case, all files were dropped in the %TEMP% folder. Also, don't forget to look for rundll32.exe processes, as the payload was a DLL file. More information on rundll32 here.
- Run a full scan with your installed antivirus product.
- Run a full scan with another antivirus and/or antimalware product.
- In a company: warn your network administrator immediately!
Now how was that mail sent out? There's no sure way of telling - it's possible the company is compromised (by either malware or an attacker), there's no SPF record, the certificate has been stolen (unlikely but not impossible), .... Most likely, a machine is infected by a spambot.
Note that with PEC (Posta Elettronica Certificata), a user can send a signed message even when the mailserver is not compromised. PEC means the server signs a message to ensure timestamp and sender, not content. More on PEC here (ITA) or here (EN). See also point 2 and 4 in the Prevention tips above.
I've contacted all related parties and hoping I'll get a reply soon, or at the very least they will perform some analysis and cleaning.
Follow the prevention tips above to stay safe. If you're looking for Indicators of Compromise (IOCs), they can be found as usual on AlienVault's OTX.