2014-10-01 - MALWARE FROM FAKE IRS NOTIFICATION CAUSES "CRYPTOWALL 2.0" INFECTION

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT:

Received: from static.vdc.vn (static.vdc.vn [113.161.198.196] (may be forged))
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 12:39 UTC
To:
Subject: Complaint

We received a complaint from you. is it true? (I sent copy of it in attachment)


Received: from HZYZBRWYXN ([114.203.105.188])
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 12:39 UTC
To:
Subject: Copy of the complaint

There are details of the complaint in attachment.


Received: from ([81.137.205.62])
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 13:28 UTC
To:
Subject: Complaint to the IRS

Hi, I am received a complaint. you wrote it? (See attachment)


Received: from QHYCGGETN ([72.54.201.18])
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 14:31 UTC
To:
Subject: Complaint to the IRS

We received a complaint from you. is it true? (I sent copy of it in attachment)


Received: from rrcs-67-78-159-70.se.biz.rr.com (67.78.159.70)
From: IRS Complaint <complaint-copy@irs.gov>
Date: Wednesday, October 1, 2014 at 15:57 UTC
To:
Subject: Copy of the complaint

Hi, I am received a complaint. you wrote it? (See attachment)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  Complaint_IRS_id-12839182.zip
File size:  194.5 KB ( 199121 bytes )
MD5 hash:  ea4df0aa8ed7ac496482480da3ac8608
Detection ratio:  22 / 54
First submission:  2014-10-01 12:14:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7293fa4fcba16746926947d6262f9e43cd87cc52a21a0d9a5c5e96d33a4dd2e2/analysis/

 

EXTRACTED MALWARE:

File name:  Complaint_IRS_id-12839182.scr
File size:  272.0 KB ( 278566 bytes )
MD5 hash:  31c2d25d7d0d0a175d4e59d0b3b2ec94
Detection ratio:  17 / 55
First submission:  2014-10-01 12:17:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a0454c319093a3c5e4ce84569de9a680aa4028c208f9607880967d43f3b22666/analysis/
Malwr link:  https://malwr.com/analysis/NGNmMDM4NzIwYTE0NGE0NmI4MWQ1ODEyMWNmZGU3MTI/

 

SCREENSHOTS AND INFO FROM THE TRAFFIC

From Malwr.com pcap:   2014-10-01 22:09:34 UTC - 65.19.161.34 port 80 - eportfolio.ccpullman.ca - GET /blog/eo7ycomyy

No Snort event triggered on this line for VRT, ET, or ETPRO signatures (that I could tell)

 

From infected VM pcap:   2014-10-01 22:07:48 UTC - 42.62.40.145 port 80 - www.meihuainfo.com - GET /wp-content/themes/mh/3sbgwh

Triggered snort rule:  ET TROJAN Unknown Locker DL URI Struct Jul 25 2014 (sid:2018787)

 

Decrypt instructions (specifying this is CryptoWall 2.0):

 

After installing a tor browser, I got the captcha for the decrypt service:

 

Which takes us to the ransom payment page:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.