2017-04-04 - CERBER/KOVTER MALSPAM - SUBJECT: OUR UPS COURIER CAN NOT CONTACT YOU

ASSOCIATED FILES:

  • 2017-04-04-Cerber-Kovter-malspam-traffic.pcap   (3,138,096 bytes)
  • 2017-04-03-Cerber-Kovter-malspam-2143-UTC.eml   (2,996 bytes)
  • 2017-04-04-Cerber-from-UPS-malspam.exe   (272,041 bytes)
  • 2017-04-04-Kovter-from-UPS-malspam.exe   (369,850 bytes)
  • UPS-Parcel-ID-9755405.doc.js-recovered.txt   (786 bytes)
  • UPS-Parcel-ID-9755405.zip-corrupt   (1,010 bytes)

NOTES:

 

EMAIL


Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

 


Shown above:  Attachment taken from the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

URLS GENERATED BY EXTRACTED .JS FILE:

CERBER POST-INFECTION HTTP TRAFFIC:

CERBER POST-INFECTION UDP TRAFFIC:

KOVTER POST-INFECTION HTTP TRAFFIC:

KOVTER POST-INFECTION HTTPS/SSL/TLS TRAFFIC:

 

FILE HASHES

CORRUPT ZIP ATTACHMENT FROM THE EMAIL:

CERBER AND KOVTER BINARIES:

 

IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 


Shown above:  Getting a better idea of the Kovter post-infection traffic through filtering in Wireshark.

 


Shown above:  Getting a better idea of the Kovter post-infection traffic through escalating the events in Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.