2017-04-05 - MALSPAM - SUBJECT: PROBLEM WITH YOUR ORDER

ASSOCIATED FILES:

  • 2017-04-05-malspam-traffic.pcap   (3,325,479 bytes)
  • 2017-04-04-malspam-0617-UTC.eml   (9,00 bytes)
  • issue2014.js   (23,316 bytes)
  • 31195.exe   (3,229,020 bytes)

 

INTRODUCTION

As a volunteer Handler for the Internet Storm Center (ISC), I receive emails sent to the ISC Handlers email distro.  On Tuesday 2017-04-04, we received the following notification:

 

From:  [redacted]
Sent:  Tuesday, 2017-04-04 15:04 UTC
Subject:  phish link to obfuscated Java script

Hi

The attached email links to [hxxp://]4safedrivers.link/orders/issue2014.php which drops an obfuscated java script.  The URL 4safedrivers.link has anonymous whois out of Australia, but 4safedrivers.com appears to be a legit company.  I haven't had time to deobfuscate it.

Thanks

John

[signature block, redacted]

 

The malware is TeamViewer packaged as spyware and a remote access tool (RAT).  Associated files had already been submitted to VirusTotal before I looked at it, so John wasn't the only one who received an email like this.

This blog post is dedicated to John and others who notify the ISC about malicious spam (malspam) and other suspicious network activity.  If you run across anything interesting, let us know through our contact form.  We may not always have time to investigate every notification, but they're always appreciated.

 

EMAIL


Shown above:  Screen shot of the malspam John provided us.

 

EMAIL HEADERS:

 


Shown above:  .js file returned from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

.JS FILE FROM LINK IN THE MALSPAM:

MALWARE FROM THE INFECTED HOST:


Shown above:  The TeamViewer-based spyware/RAT downloaded by the .js file.

 

IMAGES


Shown above:  TeamViewer files in a hidden directory on my infected lab host.

 

FINAL WORDS

This TeamViewer-based malware package is nothing new.  For example, Kaspersky published a report in 2013 on how TeamViewer was abused for Cyber Espionage (link).  These TeamView-based malware packages previously earned the nickname "TeamSpy."

I don't think this particular malspam is associated with actual cyber espionage (though I could be wrong about that).  The non-TeamViewer callback IP address 193.111.63.116 belongs to a Ukrainian hosting provider.  To me, this example feels more like commodity malware used in crimware campaigns.

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.