2015-01-13 - DYRE PHISHING RUN - SUBJECT: YOUR TAX RETURN WAS INCORRECTLY FILLED OUT

ASSOCIATED FILES:

 

RELATED REPORTING:

 

NOTES:

  • 2014-09-26 - Phishing campaign - Subject: Transaction not complete
  • 2014-10-03 - Phishing campaign - incoming fax reports - fake HMRC tax notification
  • 2014-10-04 - Rig EK and Upatre from phishing emails
  • 2014-11-13 - Phishing campaign - Subject: You have received a new secure message from BankLine
  • 2014-12-05 - Upatre/Dyre phishing campaign - Subject: Video shows Norwegian fighter pilot's

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: John Smith <john.smith@mail-irs.gov>
Sent: 13 January 2015 [various times]
To:
Subject: Your tax return was incorrectly filled out

Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: [12 digit number]) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely

 

SOME LINKS FROM THE VARIOUS EMAILS:

jamjase.com - GET /taxadmin/get_doc.html
lnails.com - GET /taxadmin/get_doc.html
lsrj.in - GET /taxadmin/get_doc.html
monarchslo.com - GET /taxadmin/get_doc.html
omrdatacapture.com - GET /taxadmin/get_doc.html
prefeituraportoestrela.com - GET /taxadmin/get_doc.html
rfurniture.com - GET /taxadmin/get_doc.html
savoretti-ds.it - GET /taxadmin/get_doc.html
semiyun.com - GET /taxadmin/get_doc.html
serressabrevois.ca - GET /taxadmin/get_doc.html
solarbearrecords.com - GET /taxadmin/get_doc.html

 

INFECTION TRAFFIC

WHAT YOU'LL SEE IF THE EMAIL LINK IS SUCCESSFUL:

 

TRAFFIC FROM THE INFECTED VM:

 

SNORT EVENTS FROM INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Talos (VRT) ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor events):

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  message.zip

 

EXTRACTED MALWARE (UPATRE):

File name:  tax_guide_pdf.exe
File size:  140.8 KB ( 144200 bytes )
MD5 hash:  d5b1370d307b788bc0bd23e744269eca
Detection ratio:  4 / 57
First submission:  2015-01-13 21:27:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7e8cec257294080d9562fa671dffdbbcdb2ec6492421ece90ca7bb21cb9719f7/analysis/
Malwr link:  https://malwr.com/analysis/OWM0YjY3NTRlYmU5NDczNWI4OWVhYjUzN2JmZTE4YzI/

 

DROPPED MALWARE FOUND ON THE INFECTED VM (DYRE):

File name:  C:\Windows\tjAOlTTnXUTOMbL.exe
File size:  390.5 KB ( 399872 bytes )
MD5 hash:  7e7d8325dec4cc8c3244dd1c2d3c653a
Detection ratio:  10 / 57
First submission:  2015-01-13 15:00:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9cb95959bec83625a6cd9e2dd7d2261bc5715efb28124e600d9db357ea3912dc/analysis/
Malwr link:  https://malwr.com/analysis/ZDcxNmRjZDEyNjcyNDdkNDk0YTQyOTkwYWYyMGE0MjU/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.