2014-09-03 - PHISHING CAMPAIGN - SUBJECT: NDR BILL

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Ebilling <Ebilling@westlothian.gov.uk>
Date: Wednesday, September 3, 2014 at 9:25 UTC
To: [redacted]
Subject: NDR Bill

Please find attached your Non Domestic Rates bill.

If your account is in credit you are due a refund unless you have any other debt due to the Council.

To allow your credit to be processed please confirm:

- If you want the credit transferred to another account you have with us. Please confirm the account details.
- If you want the credit refunded by cheque, please confirm who it should be sent to and the address.

Links to Non Domestic Rates information are detailed below.

Important Note:
If you access these links using a mobile phone the network provider may charge for this service.

Yours sincerely
Scott Reid
Revenues Manager

http://www.westlothian.gov.uk/media/downloaddoc/1799465/1851216/2395547

* PDF Viewer required.

This message, together with any attachments, is sent subject to the following statements:

1.   It is sent in confidence for the addressee only.  It may contain legally privileged information.  The contents are not to be disclosed to anyone other than the addressee.  Unauthorised recipients are requested to preserve this confidentiality and to advise the sender immediately.
2.   It does not constitute a representation which is legally binding on the Council or which is capable of constituting a contract and may not be founded upon in any proceedings following hereon unless specifically indicated otherwise.

http://www.westlothian.gov.uk

Attachment: 00056468.pdf.zip (136 KB)

 

EMAIL HEADERS:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  00056468.pdf.zip
File size:  100.6 KB ( 103038 bytes )
MD5 hash:  c5afaf444f1a60f34846227e2a82abf0
Detection ratio:  25 / 54
First submission:  2014-09-03 10:10:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7804327239ae9b9216619239f9b5324eabc96530d326b55e47c82080de0f5b44/analysis/

 

EXTRACTED MALWARE:

File name:  D0110109.PDF.exe
File size:  178.2 KB ( 182455 bytes )
MD5 hash:  b467d9308c75e9b8bf23b95e372f39d1
Detection ratio:  19 / 54
First submission:  2014-09-03 10:08:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/004b544d373beb342cdbf071c0a8e566ed4d529b48641c6ac7b6ecc3490d3800/analysis/

 

FOLLOW-UP MALWARE:

File name:  D0110109.PDF.exe-follow-up-malware.exe
File size:  76.0 KB ( 77824 bytes )
MD5 hash:  532e7924f759aab014dedca651398ce6
Detection ratio:  14 / 54
First submission:  2014-09-03 06:40:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/960ed795dca89e50745251adf6712719a1af1aa5fd1a66c9424c777574180548/analysis/

 

INFECTION TRAFFIC

RUNNING THE MALWARE ON A VM:


The OneLouder downloader generated an HTTP GET request--the return traffic is decrypted & saved as a hidden TMP file
in the user's AppData\Local\Temp directory [See below].

 


This followup malware saved as D0110109.PDF.exe-follow-up-malware.exe in this blog entry's ZIP archive.

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

[**] [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
2014-09-03 20:51:36 UTC - 198.27.68.96:80 - 172.16.165.133:49158
TCP TTL:128 TOS:0x0 ID:127 IpLen:20 DgmLen:16300 DF
***A**** Seq: 0x497BAF82 Ack: 0x47276E51 Win: 0xFAF0 TcpLen: 20

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.