2014-09-16 - PHISHING CAMPAIGN - EMAILS LINK TO ANGLER EK - SUBJECT: [IMPORTANT] INVOICE OVERDUE

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Lidia Beasley <lidia.beasley@706-PC.kornet>
Sent: 16 September 2014 12:08 UTC
To: Kevin Wright
Subject: [IMPORTANT] Regarding payment overdue

We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 260.43 in respect of the invoice(s) contained in this letter . This was due for payment on 22 August, 2014.
Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.The total amount due from you is therefore GBP 327.60

If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we will have to begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take effect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.

This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing failure to respond.

To view the the original invoice please click on link

We immediate answer to this email.

Yours faithfully, Lidia Beasley.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, All rights reserved

 

INFECTION TRAFFIC FROM THE EMAIL LINK

LINK FROM THE EMAIL:

 

ANGLER EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-16-Angler-EK-flash-exploit.swf
File size:  65.9 KB ( 67478 bytes )
MD5 hash:  dbb3f5e90c05602d92e5d6e12f8c1421
Detection ratio:  1 / 55
First submission:  2014-09-12 09:31:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6a60d61a771dc4b719fe2887be2f14b0ff59c4212cce0ee0f8697ba9c1aa0d95/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-16-Angler-EK-java-exploit.jar
File size:  29.0 KB ( 29674 bytes )
MD5 hash:  87df3042dbff5dc8f664fccfea10b737
Detection ratio:  16 / 55
First submission:  2014-09-08 15:08:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/352b380a4fc63874212067dc26876415b5279b9eb6a3d6c64987346d124eb719/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-16-Angler-EK-malware-payload.exe
File size:  102.0 KB ( 104448 bytes )
MD5 hash:  0c466ff4d3d78c1f5eb7532573ba8c34
Detection ratio:  7 / 55
First submission:  2014-09-16 15:46:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ecb03f1bb1654c89ea93102b6a74ed5b415e4fef0b1a4401acd20224f3d79320/analysis/

 

FOLLOW-UP MALWARE (FOUND IN THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  2014-09-16-Angler-EK-follow-up-malware.exe (actually a DLL file)
File size:  230.0 KB ( 235520 bytes )
MD5 hash:  69b8db13a04b19905bc541c921ff582e
Detection ratio:  2 / 55
First submission:  2014-09-16 15:46:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/410bbf7bce929e0c7295b8ed0c98d54339981bf4149306aa8b434f04e8a81718/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREEENSHOTS FROM THE TRAFFIC AND INFECTED VM

The browser window that popped up when clicking the link:

 

What the browser showed when it redirected to Angler EK:

 

Malware payloads, obfuscated from the pcap:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.