2017-04-19 - USPS-THEMED MALSPAM CONTINUES PUSHING PANDA BANKER, KOVTER AND MIUREF

ASSOCIATED FILES:

BACKGROUND ON THIS CAMPAIGN:

NOTES FOR TODAY:

USPS-themed malspam continues.  Emails have links that go directly to fake Word Online sites.  These fake Word Online sites provide zipped .js files disguised as Office plugins.  The end result is the same as yesterday, with the campaign pushing Zeus Panda Banker, Kovter, and Miuref/Boaxxe.

 


Shown above:  Flowchart for this infection traffic.

 

EMAILS


Shown above:  Screen shot of the spreadsheet tracker.

 


Shown above:  Example of one of these emails.

 

DATES/TIMES:

EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):

EXAMPLES OF SUBJECT LINES:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Post-infection traffic from the Zeus Panda Banker (exe1.exe) separated from the other traffic.

 

NOTES:  The Zeus Panda Banker didn't create any traffic right away.  My sample waited about 5 minutes or so before generating any post-infection network activity.  If I included it in the regular pcap, that pcap would be well over 100 MB in size (due to all the other post-infection traffic).  So I infected another host with only the Panda Banker to show that traffic.

 

LINKS FROM THE EMAILS:

 

PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE:

 

MALWARE


Shown above:  Zip archive disguised as an Office plugin downloaded from a fake Word Online page.

 


Shown above:  Contents of the downloaded zip archive.

 

EXAMPLE OF ZIP ARCHIVE FROM FAKE WORD ONLINE SITE:

 

.JS FILE EXTRACTED FROM THE DOWNLOADED ZIP ARCHIVE:

 

EXAMPLES OF MALWARE DOWNLOADED BY THE EXTRACTED .JS FILE:

 

ARTIFACT LOCATIONS

SOME ARTIFACT LOCATIONS ON THE INFECTED WINDOWS HOST:

 

Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.