Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Generic virus spam email claims that your support department was rude to them regarding their support ticket request.

Attached .doc contains malware.

 


  

Subject: Re: [recipient domain name] sucks

Subject: Re: example.com sucks

 The language of your support department is unacceptable.
Please check the reply I received to my support ticket.

support_ticket.doc (354)

  It's funny because it is true.


 

Header Examples:

7 December 2015 

Spoofs harrisrestaurant.com in From headers, Envelope From headers (MAIL FROM connection string), and HELO connection string. I only have one of these so far, so the spoofing plan may be different.

Received: from harrisrestaurant.com [50.201.94.214]
X-Envelope-From: emitchell @harrisrestaurant.com
From: "emitchell@harrisrestaurant.com" <emitchell@harrisrestaurant.com>
Subject: Re: [recipient domain] sucks

 

Malware

7 December 2015

Attachment : malicious .doc with macro : support_ticket.doc

VirusTotal report | malwr.com report | hybrid-analysis.com report 

This .doc doesn't DOWNLOAD malware, it contains it already in an OLE object called :

_

Extracted executable : _ ( Pony password stealing data-thief malware )

Yes, the executable was named _ as in underscore.

VirusTotal report | malwr.com report | hybrid-analysis.com report

Also :

Sends stolen data to :

hagurowrob.ru/gate.php
betrewhattit.ru/gate.php
botepetan.ru/gate.php

Downloads more malware from :

www.raveshia.com/wp-content/plugins/cached_data/print.exe
elfielatorestaurante.com/wp-content/plugins/cached_data/print.exe
spiceone-food.com/wp-content/plugins/feedweb_data/print.exe

  

Downloaded executable : palnt.exe ( Nymaim general-purpose botnet malware )

The Nymaim name was associated with ransomware previously, but so far the recent series seems to just use it as a persistence and mechanism making it more of a general-purpose botnet. Subsequent payloads may be sent.

VirusTotal report | malwr.com report | hybrid-analysis.com report

Also :

The icon looks like an OpenOffice document, and executable has some junk resources.

Picture of icon and resources of the nymaim malware.

A series of posts with large responses to places like :

oxrdmfdis.in/deip7/index.php
oxrdmfdis.in/RmwfTvBef?6hhB9r=cD2iPA29p
oxrdmfdis.in/y1rgEglO2aHgmj?hxul2tLZstU8O0=v2O91sc8x7V16&OKTG4wHr8H
oxrdmfdis.in/deip7/index.php
oxrdmfdis.in/x51Gj6OdEw?iMxyqWc=00phQbrjoaR1hiE&5vJpdEqg4g6nA
oxrdmfdis.in/FYajkiOR?Ne0fdtkCx5kQVa4=bRdm23H&fVH71yG8g5i9t7=4b1zJ6shrob

Which resolves to :

140.116.161.33
115.173.208.133
118.102.239.53

Later on in the same day, the domain resolved to :

89.163.249.75
140.116.161.33
118.102.239.53
115.173.208.133

This http traffic triggered :

ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

... which tells me that no good Nymaim signatures exist yet for this malware.

No starups are created until at least the first POST is successful and receives back a payload. Then, more and more payloads are downloaded and given startup entries, one at a time.

Picture of Nymaim malware startups.

 

Dropped executable : strain-7.exe

Autorun key called strain-1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pointing to c:\programdata\strain-53\strain-7.exe

VirusTotal report | malwr.com report | hybrid-analysis.com report 

Picture of strain-7 malware drop.

Some DGA action :

yzjsjruxtc.pw
ybbem.net
rjpmut.pw
mujsavncvuzv.in
fhvyrj.net
wnjqgytodlsb.net
sklrknrwiype.in
efigbuduxd.pw
qgrcezozhqgu.net
...etc

  

Dropped executable : vctxo-32.exe

Autorun HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell pointing to c:\programdata\vctxo-1\vctxo-32.exe

VirusTotal report | malwr.com report | hybrid-analysis.com report 

Picture of vctxo malware drop.

Same DGA action :

yzjsjruxtc.pw
ybbem.net
rjpmut.pw
mujsavncvuzv.in
fhvyrj.net
wnjqgytodlsb.net
...etc

  

Dropped executable : serdes-49.exe

Autorun key called serdes-5 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pointing to c:\users\user\appdata\roaming\serdes-0\serdes-49.exe

VirusTotal report | malwr.com report | hybrid-analysis.com report 

Picture of serdes49 malware drop.

Same DGA action :

yzjsjruxtc.pw
ybbem.net
rjpmut.pw
mujsavncvuzv.in
fhvyrj.net
wnjqgytodlsb.net
...etc

  

Dropped executable : gigabit-94.exe

Autorun link or short-cut called gigabit-08.lnk in the user's statup menu pointing to c:\users\user\appdata\roaming\gigabit-6\gigabit-94.exe

VirusTotal report | malwr.com report | hybrid-analysis.com report 

Picture of gigabit-94 malware drop.

Same DGA action :

yzjsjruxtc.pw
ybbem.net
rjpmut.pw
mujsavncvuzv.in
fhvyrj.net
wnjqgytodlsb.net
...etc