2014-10-03 - PHISHING CAMPAIGN - INCOMING FAX REPORTS - FAKE HMRC TAX NOTIFICATION

ASSOCIATED FILES:

 

NOTES:

 

WAVES OF PHISHING EMAILS I'VE DOCUMENTED BY (WHAT I THINK IS) THE SAME ACTOR:

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT - EXAMPLE 1:

 

SCREENSHOT - EXAMPLE 2:

 

MESSAGE TEXT - EXAMPLE 1:

From: Incoming Fax <no-reply@docs-xd.com>
Date: Friday, October 3, 2014 at 16:56 UTC
To:
Subject: INCOMING FAX REPORT : Remote ID: 3560-28116-15053


*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Fri, 03 Oct 2014 18:56:41 +0200
Speed: 43560
Connection time: 12.56
Pages: 3
Resolution: Normal
Remote ID: 3560-28116-15053
Line number: 3
DTMF/DID:
Description: Internal Docs

Fax message attached in PDF format (Adobe Reader).

*********************************************************

Attachment: doc_03102014-.zip (12.2 KB)

 

MESSAGE TEXT - EXAMPLE 2:

From: "hmrc.gov.uk" <noreply@docs-xll.com>
Date: Friday, October 3, 2014 at 09:56 UTC
To: <undisclosed-recipients:;>
Subject: You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

Attachment: doc_0315634-2871_pdf.zip (12.2 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  doc_03102014-.zip
File size:  9.0 KB ( 9255 bytes )
MD5 hash:  f777ff3fdbda090df534cdb5c4bd7b89
Detection ratio:  13 / 54
First submission:  2014-10-03 10:23:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4c4dc72b5e51bab8ebe153af6817b2b6d390ab332b7ffc3d079cf0080f3b9b56/analysis/

 

EXTRACTED MALWARE:

File name:  doc_03102014-2871_pdf.exe
File size:  23.0 KB ( 23552 bytes )
MD5 hash:  ef880cf944302b0880215509ad340ab0
Detection ratio:  13 / 54
First submission:  2014-10-03 10:23:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/
Malwr link:  https://malwr.com/analysis/NTcyZTJlYzUwMTMxNGI5NWE2ZTZlNzFjMzNmN2MwZjA/

 

DROPPED MALWARE:

File name:  jyrhg.exe
File size:  351.5 KB ( 359936 bytes )
MD5 hash:  2a1a5084908d808963413ae58c19b914
Detection ratio:  13 / 54
First submission:  2014-10-03 20:28:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ed07040f5bc08fecdf28db4a2c365840b7867ab705f73d08d4d64bc035caced9/analysis/
Malwr link:  https://malwr.com/analysis/NGY4YWIyOTlhZmEwNDQzOWIzODg1MzRhNjNlZWMxMWE/
Malwr.com pcap from the above analysis:  2014-10-03-malwr-analysis-jyrhg.exe.pcap.zip.

 

INFECTION TRAFFIC

FROM MALWR.COM ANALYSIS OF THE MALWARE:

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Post-infection checkin:

 

Upatre call for more malware:

 

Encrypted TCP traffic on port 4443:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.