2014-11-13 - PHISHING CAMPAIGN - SUBJECT: YOU HAVE RECEIVED A NEW SECURE MESSAGE FROM BANKLINE#[8-DIGITS]

ASSOCIATED FILES:

 

NOTES:


Downloading the Upatre

 

PHISHING CAMPAIGNS WITH SIMILAR POST-INFECTION TRAFFIC:

 

EMAILS SEEN FROM THIS CAMPAIGN


All had a spoofed sender:  <secure.message@bankline.com>

 

SCREENSHOT FROM ONE OF THE EMAILS:

 

MESSAGE TEXT FROM ONE OF THE EMAILS:

From: Bankline <secure.message@bankline.com>
Date: Thursday, November 13, 2014 at 10:46 UTC
Subject: You have received a new secure message from BankLine#62941708

You have received a secure message.

Read your secure message by following the link bellow:

link


----------------
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7038.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.rbs.co.uk/corporate/electronic-services/g2/datalink.ashx

 

SOME OF THE LINKS FROM THESE PHISHING EMAILS:

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  Secure-messageBankline_pdf.zip
File size:  9.9 KB ( 10150 bytes )
MD5 hash:  f4df9e9ca2c91ba5e826111014d1b1c5
Detection ratio:  21 / 55
First submission:  2014-11-13 10:48:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2ad9176032de039207d41bafa83b10907ade9c771a478d42b620082fbae3a165/analysis/

 

EXTRACTED MALWARE:

File name:  Secure-messageBankline_pdf.exe
File size:  23.0 KB ( 23552 bytes )
MD5 hash:  c852dff3e4de04eb3a230cd560094d59
Detection ratio:  21 / 53
First submission:  2014-11-13 10:49:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7f771a240dab091da8af9ec07b10a97079864c45564259ee7ca827d4cfd387a2/analysis/
Malwr link:  https://malwr.com/analysis/MDFkZWFiNTk4MzYyNGIwMmEyMzA2OWUxODU3ZTYyYTc/

 

DROPPED FILES ON THE INFECTED VM:

 

DROPPED EXE:

File name:  C:\Windows\OccUbCFuCHafSpy.exe
File size:  492.0 KB ( 503808 bytes )
MD5 hash:  ca075266749ad6303092ba177177aef3
Detection ratio:  15 / 55
First submission: 
VirusTotal link:  https://www.virustotal.com/en/file/b642644ca6ba8509b49e0093119190dd2e39130fd5ee2c96b81bb44457f57f39/analysis/
Malwr link:  https://malwr.com/analysis/NDQxZTMxNjhlOWZlNGY1YmEzYmM3ZDAyYTBmNjlmMTE/

 

INFECTION TRAFFIC ON A VM

DOWNLOADING THE MALWARE:

 

POST-INFECTION TRAFFIC AFTER RUNNING THE MALWARE:

 

POST-INFECTION STUN (SESSION TRAVERSAL UTILITIES for NAT) TRAFFIC OVER UDP:

 

SNORT EVENTS FROM THE INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.