2017-03-10 - POSSIBLE BANLOAD INFECTION FROM BRAZIL MALPSAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-10-possible-Banload-infection-traffic.pcap.zip   2.4 MB (2,414,939 bytes)
• 2017-03-10-Corrigido-emails-and-associated-files-for-possible-Banload-malware.zip   377.3 kB (377,300 bytes)

NOTES:

• This is the same actor & method of infection documented earlier this year on 2017-01-05 and several times last year (2016-09-21, 2016-08-30, and 2016-08-26 to name a few).

 

EMAILS

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• From: Informe de Rendimentos <sigs@informesigs[.]top>
• Subject: URGENTE - Informe de Rendimentos de 2016 - CORRIGIDO

 

ORIGINAL MESSAGE IN PORTUGUESE:

From: Informe De Rendimentos
Subject: URGENTE - Informe de Rendimentos de 2016 - CORRIGIDO

Prezado(a) [recipient],

Encaminhamos o Informe de Rendimento, ano base 2016 corrigido.

É importante que confirme os dados do seu Informe e nos encaminhe eventuais dúvidas.

Pedimos desculpas pelo transtorno causado.

Clique aqui para iniciar o download do documento

 

TRANSLATED BY GOOGLE:

From: Income Report
Subject: URGENT - 2016 Earnings Report - CORRECTED

Dear [recipient],

We have sent the Income Report, base year 2016 corrected.

It is important that you confirm the data in your Report and address any doubts.

We apologize for the inconvenience.

Click here to start the download of the document

 

TRAFFIC

Shown above:  Start of injected script in a page from the compromised website.

 

ASSOCIATED DOMAINS:

• bit[.]ly - GET /2mrqEof - redirect from the link in the email (HTTPS)
• 187.17.111[.]98 port 443 - lavorocont.sslblindado[.]com - GET /marco/   [returns the malicious .vbs file]
• 65.181.112[.]240 port 80 - 65.181.112[.]240 - GET /lol/w7.txt
• 65.181.112[.]252 port 80 - 65.181.112[.]252 - GET /lol/aw7.tiff
• 65.181.112[.]252 port 80 - 65.181.112[.]252 - GET /lol/W7.zip
• 65.181.112[.]252 port 80 - 65.181.112[.]252 - GET /lol/dll.dll
• 65.181.112[.]252 port 80 - 65.181.112[.]252 - GET /lol/dll.dll.exe
• 65.181.112[.]54 port 80 - www.devyatinskiy[.]ru - HTTP post-infection traffic
• 65.181.112[.]252 port 80 - www.petr4[.]in - HTTP post-infection traffic
• 65.181.113[.]204 port 443 - ssl.houselannister[.]top - IRC traffic (botnet command and control)
• DNS query for: imestre.houselannister[.]top - response: 127.0.0[.]1

 

FILE HASHES

DOWNLOADED .JS FILE:

• SHA256 hash:  2e828c31e4f63bba2a67245cac7d4d29148042a068d09f27c0e4d16742661cd2
  File name:  06032017eXRID29mQCKn1vrYt7UM2ess3sq8gBbk11659.vbe
  File size:  272 bytes

 

DOMAIN INFORMATION

DOMAINS FROM THIS CURRENT WAVE OF MALSPAM:

• informesigs[.]top   (pinged to: 94.77.196[.]100)
• c7rd7d6e11uvbene4ycgkko3wwuca8u8[.]top   (subdomains pinged to: 65.181.112[.]252)
• iealhmuzway1hbclojwe6ewsovcv21ah[.]top   (subdomains pinged to: 65.181.112[.]252)
• k6ubvzh0ctjevmvzb65oktakjcxzejvq[.]top   (subdomains pinged to: 65.181.112[.]252)
• lpj2qbrzi0cwyg6nnmaxb7qhwr1orfpo[.]top   (subdomains pinged to: 65.181.112[.]252)
• z5wmkjd4xjgfjfcstkybegognmrcctdl[.]top   (subdomains pinged to: 65.181.112[.]252)

NOTE:  All the above domains were registered by Cerise Charbonneau (email POC: cerisecharbonneau@protonmail[.]com) on 2017-03-04 through publicdomainregistry[.]com.

 

Click here to return to the main page.