2014-02-19 - PHISHING EMAIL LINKS ENDING WITH 1.HTML NOW REDIRECTING TO GOON EK

ASSOCIATED FILES:

NOTES:

Earlier this month, various sources reported an Evernote-themed phishing campaign:

These Evernote messages and similar phishing emails contained links to URLs ending with 1.html and redirecting to sites hosting Angler EK.  Today, these links started redirecting to sites hosting Goon EK.  I used the following search on URLquery.net to grab a URL and infect a VM:

I used IE 8, which is vulnerable to the CVE-2013-2551 MSIE exploit sent by the Goon EK.  After the initial infection, my VM made an HTTP request for (what appears to be) Cutwail malware.  The Cutwail-infected VM generated lots of web page click-fraud traffic (port 80) and SMTP activity (port 25).  Let's look at the traffic...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK FOR MORE MALWARE

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT SEEN

File name:  wrapper.jar
File size:  11.5 KB ( 11803 bytes )
MD5 hash:  c015d38f8345398c04aa98f6542d4a1e
Detection ratio:  2 / 50
First submission:  2014-02-19 17:11:32 UTC
VirusTotal link: https://www.virustotal.com/en/file/730859d4653b2297069c940a07bb461f65ecb7a871d01b943292915ca7f48f68/analysis/

 

MALWARE PAYLOAD

File name:  2014-02-19-deobfuscated-payload-from-nedapardaz.com.exe
File size:  467.0 KB ( 478208 bytes )
MD5 hash:  eac088faff257195e2c2db85ae0fe2c0
Detection ratio:  4 / 49
First submission:  2014-02-19 20:58:24 UTC
VirusTotal link: https://www.virustotal.com/en/file/fd389f561751ffde5adefd0f4badc10f46800854c5121804b31651e68cd132f8/analysis/

 

FOLLOW-UP MALWARE

File name:  nop.exe
File size:  60.5 KB ( 61952 bytes )
MD5 hash:  23700fd303db55334cce179194b84fed
Detection ratio:  26 / 50 (mostly identified as Cutwail)
First submission:  2014-02-18 07:10:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/2cc002d8811a554b1c39b1a0b9ba1e32d42c53610e77525c035e2fbccebf0bed/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THIS INFECTION EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

One of he links from URLquery.net - newddnail.com/1.html

 

Redirect - merdekapalace.com/1.txt

 

Goon EK landing page, which delivered MSIE exploit CVE-2013-2551 - nedapardaz.com/theme/it/browser/_lzf_.php?source_pid=38896815737B1F0316DB020740&swap_src=7D&theme-lid=1

 

MSIE exploit delivers malware payload--an EXE that's been XOR-ed with the ASCII string m3S4V as it came across the network - nedapardaz.com/2378.mp3

 

Follow-up malware retrieved after the initial infection, mostly identified as a Cutwail variant - www.shivammehta.com/nop.exe

 

Some of the click-fraud traffic noted after the infection:

 

Some of the SMTP traffic noted after the infection:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.