Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake Docusign email claims an accounting invoice has been completed and you need to review and sign it.

Link points to malicious .doc download. Doc file downloads more malware with password and bank stealing capability.

Uses a look-alike Docusign domain, docus.com in email headers. These emails are NOT coming from Docusign.


Subject: Completed [domain] - Accounting Invoice 344387 Document Ready for Signature

Your document has been completed
REVIEW DOCUMENT
[email address]

All parties have completed [E][domain] - Accounting Invoice 503420 Document Ready for Signature.

Please review and sign your [E][domain] Accounting Invoice 503420 via DocuSign by clicking on the "Review Document" button above.  Signing will not be complete until you have reviewed the agreement and confirmed your signature.  Please make sure to fill out the TaxID if you are requesting for credit terms.  Please let us know if you have any questions.  Thank you.

Powered by
DocuSign

Do Not Share This Email
This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others.

About DocuSign
Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- DocuSign provides a professional trusted solution for Digital Transaction Management™.

Questions about the Document?
If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly or replying to this email

Picture of fake Docusign email with malware links.


Header Examples:

Uses docus.com in the From headers, Envelope From headers, and HELO connection string. This may be a case of domain look-alike squatting more than spoofing. The domain was updated on 30-jan-2017.

Received: from docus.com (rrcs-24-199-153-226.midsouth.biz.rr.com)
    X-Envelope-From: dse@docus.com
    X-Apparent-Source-IP: 24.199.153.226
    From: "Kevin Daniels via DocuSign" <dse@docus.com>
    X-Mailer: iPhone Mail (13E238)
    Subject: Completed [domain] - Accounting Invoice 503420 Document Ready for Signature

Received: from docus.com (50-245-217-172-static.hfc.comcastbusiness.net)
    X-Envelope-From: dse@docus.com
    X-Apparent-Source-IP: 50.245.217.172
    Reply-To: "Kevin Collins via DocuSign" <dse@docus.com>
    From: "Josh Ford via DocuSign" <dse@docus.com>
    X-Mailer: iPhone Mail (11D169)
    Subject: Completed [domain] - Accounting Invoice 347382 Document Ready for Signature

Received: from docus.com (static-108-46-198-12.nycmny.fios.verizon.net)
    X-Envelope-From: dse@docus.com
    X-Apparent-Source-IP: 108.46.198.12
    Reply-To: "Ryan Wallace via DocuSign" <dse@docus.com>
    From: "Nicholas Daniels via DocuSign" <dse@docus.com>
    X-Mailer: iPhone Mail (9B176)
    Subject: Completed [domain] - Accounting Invoice 345112 Document Ready for Signature

Malware

Link to download malicious MS Office .doc file

Links point to places like :

http://cheapbillpay.com/file.php?document=(base64 email address with padding)
http://tannareshedt.ru/file.php?document=(base64 email address with padding)
http://paysis.net/file.php?document=(base64 email address with padding)
http://lifeimpactbydesign.org/file.php?document=(base64 email address with padding)
http://lasvegastradeshowmarketing.com/file.php?document=(base64 email address with padding)
http://marinevenghan.ru/file.php?document=(base64 email address with padding)
http://un-banked.com/file.php?document=(base64 email address with padding)
http://search4athletes.com/file.php?document=(base64 email address with padding)
http://sitthegemuch.ru/file.php?document=(base64 email address with padding)

I received .doc :

fff786ec23e6385e1d4f06dcf6859cc2ce0a32cee46d8f2a0c8fd780b3ecf89a

The document loaded hancitor malware into memory as svchost.exe. The hancitor process reported to :

http://foarlyrow.com/ls5/forum.php
http://athinropro.ru/ls5/forum.php
http://forthatenron.ru/ls5/forum.php

Hancitor received a response back to download additional payloads from :

http://www.mindsonvacation.com/libs/1
http://www.meiguofeibo.com/wp-content/uploads/1
http://decorastudio.com/Blog/wp-content/uploads/2015/1
http://salteraero.com/wp-content/themes/twentyseventeen/inc/1
http://andrewjordanpmp.com/blog/wp-content/themes/twentysixteen/1
http://ok-toys.ru/wp-content/themes/sketch/1

Which turned out to be a pony password stealer .dll file.

437351c9ae0a326ed5f5690e99afc6b723c8387f1ed87c39ebcce85f9103c03a

And :

http://www.mindsonvacation.com/libs/2
http://www.meiguofeibo.com/wp-content/uploads/2
http://decorastudio.com/Blog/wp-content/uploads/2015/2
http://salteraero.com/wp-content/themes/twentyseventeen/inc/2
http://andrewjordanpmp.com/blog/wp-content/themes/twentysixteen/2
http://ok-toys.ru/wp-content/themes/sketch/2

Which turned out to be a pony-like info-stealing malware called Evilpony :

5bcd2d8ed243d6a452d336c05581291bc63ee489795e8853b9b90b5f35c207d8

And :

http://www.mindsonvacation.com/libs/a1
http://www.meiguofeibo.com/wp-content/uploads/a1
http://decorastudio.com/Blog/wp-content/uploads/2015/a1
http://salteraero.com/wp-content/themes/twentyseventeen/inc/a1
http://andrewjordanpmp.com/blog/wp-content/themes/twentysixteen/a1
http://ok-toys.ru/wp-content/themes/sketch/a1

Which turned out to be zloader which can likely be used to load anything, but is generally attributed to banking.

9f346deed73194928feda785dca92add4ff4dd19fbc1352cebaa6766e0f69a38

The download urls are lznt1 compressed and xor encrypted. The first 8 bytes of the file is the xor key.

 

Pony .dll file reported to  :

http://foarlyrow.com/mlu/forum.php
http://athinropro.ru/mlu/forum.php
http://forthatenron.ru/mlu/forum.php

The Evilpony malware reported to :

http://foarlyrow.com/d1/about.php
http://athinropro.ru/d1/about.php
http://forthatenron.ru/d1/about.php

Zloader reported to :

http://mafeforthen.com/bdk/gate.php
http://hargotsinlitt.com/bdk/gate.php

After contacting these Zloader C2 sites, more C2 sites were made available :

http://anddawassrab.ru/bdk/gate.php
http://daletrefhert.ru/bdk/gate.php
http://eventsinbutbi.com/bdk/gate.php
http://fehedthethep.com/bdk/gate.php
http://forttehowke.ru/bdk/gate.php
http://hanjusrancal.com/bdk/gate.php
http://hapwassparly.ru/bdk/gate.php
http://hargotsinlitt.com/bdk/gate.php
http://hathenketjohn.com/bdk/gate.php
http://heckgwassehan.com/bdk/gate.php
http://hescotirin.ru/bdk/gate.php
http://hesdirohim.ru/bdk/gate.php
http://kinrinhiked.ru/bdk/gate.php
http://lactalhedttin.bit/bdk/gate.php
http://mafeforthen.com/bdk/gate.php
http://muchronnotold.ru/bdk/gate.php
http://onewithbohert.ru/bdk/gate.php
http://orheckledtit.ru/bdk/gate.php
http://rectincasof.com/bdk/gate.php
http://rewtorshosin.ru/bdk/gate.php
http://rigakeddo.com/bdk/gate.php
http://riranughone.com/bdk/gate.php
http://rolorretheck.ru/bdk/gate.php
http://supspvehisar.com/bdk/gate.php
http://tancoatthen.ru/bdk/gate.php
http://tofhadjustling.ru/bdk/gate.php
http://toldhapsinspar.com/bdk/gate.php
http://tothecktitres.com/bdk/gate.php
http://ughrytitter.ru/bdk/gate.php
http://wilnakinhar.ru/bdk/gate.php
http://witjowronme.ru/bdk/gate.php
http://zithuasnothar.ru/bdk/gate.php

sudoofk3wgl2gmxm.onion

 

Resolutions :

athinropro.ru has address 31.41.44.158
foarlyrow.com has address 77.73.68.159
forthatenron.ru has address 212.116.113.247
hanjusrancal.com has address 178.208.88.117
hargotsinlitt.com has address 178.208.81.27
hesdirohim.ru has address 185.22.173.111
mafeforthen.com has address 164.132.138.136
rewtorshosin.ru has address 46.8.29.202
witjowronme.ru has address 91.226.93.14

 

Files :

techhelplist[.]com/down/articles/2017/hancitor-2017-05-15-files.7z

 

If this was at least a little helpful, how about a +1, Like, or Tweet?