2015-06-04 - RESUME MALSPAM SENDING CRYPTOWALL 3.0

PCAP AND MALWARE:

 

INTRODUCTION

Today, someone submitted an example of malicious spam (malspam) to the Internet Storm Center (ISC) through our contact form (link).  The message was:

 

I know you guys probably get all sorts of these reports, but I just received a phishing email. Sending address is jamisonpearlberg@yahoo.com with a subject of "resume". Message body says:

---
Hello my name is Saira
my resume is pdf file
I am looking forward to hearing from you soon

Best regards
Saira
---

The attached file, my_resume.zip, contains a single file named resume3606.html. Within it is an iframe to hxxp://coppolarestaurant.com/cgi/resume2.php?id=661.

Thanks!

 

Looking at the file, we found a zipped HTML attachment.  When opened, the extracted HTML contained a link downloading another zip file, which led to CryptoWall 3.0.

 

DETAILS

In looking at this submitted malspam sample, we quickly noted it was suspicious.

 

The message headers incidacte this email came from a Yahoo account.

 

A quick look through my employer's spam filters shows several similar emails, all dropped by our spam filters.  All apparently came from Yahoo email addresses.

 

The attachement was a zipped HTML file an iframe to download another zip file.

 

That downloaded zip file contained malware with an adobe PDF icon, designed to trick users into double-clicking it.

 

Here's a look at the traffic:

 

And the infected host in my lab environment quickly showed signs of a CryptoWall 3.0 infection.  The bitcoin address for the ransom payment was: 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag.  A quick check on blockchain.info showed 2 transaction on this bitcoin account from April and May of 2015.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.