2017-04-26 - MOLE RANSOMWARE AND KOVTER INFECTIONS FROM EMAILS IMPERSONATING USPS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-04-26-Mole-ransomware-and-Kovter-infections-3-pcaps.zip   922.5 kB (922,459 bytes)
• 2017-04-26-USPS-themed-malspam-tracker.csv.zip   3.3 kB (3,344 bytes)
• 2017-04-26-USPS-themed-emails-and-associated-malware.zip   1.2 MB (1,206,318 bytes)

BACKGROUND ON THIS CAMPAIGN:

• My in-depth write-up on this campaign is at: Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics

• 2017-04-11 - Internet Storm Center (ISC) InfoSec Forums: Malspam on 2017-04-11 pushes yet another ransomware variant
• 2017-04-12 - BleepingComputer: Mole Ransomware Distributed Through Fake online Word Docs

NOTES FOR TODAY:

• The last time I looked into this, it was "Parking Service" malspam.
• Today, we're back to USPS-themed malspam linking to fake Word Online sites for zipped .js files disguised as Office plugins.
• Each downloaded zip archive is a different file name and a different file hash (same with the extracted .js files).
• I only saw Mole ransomware (exe1.exe) and Kovter (exe2.exe) as the follow-up malware today.

 

Shown above:  Flowchart for this infection traffic.

 

EMAILS

Shown above:  Screenshot of one of the emails seen today.

 

DATES/TIMES:

• Wednesday 2017-04-26 as early as 12:28 UTC through at least 21:54 UTC

 

EXAMPLES OF SENDING ADDRESSES (ALL SPOOFED):

• "USPS Express Delivery" <henohe32@caverntours[.]com>
• "USPS Express Delivery" <kafweh515171@audioactivesound[.]com>
• "USPS Express Delivery" <lai82@impresos-gdl[.]com>
• "USPS Express Delivery" <sesaifud45660083@tangentindia[.]com>
• "USPS Express Delivery" <viyhye183@kcn[.]jp>
• "USPS Express Delivery" <vyjaqpu3707847@winebox[.]com>
• "USPS Express Delivery" <xokfiuf15355858@bariartesanias[.]com[.]ar>
• "USPS Ground Support" <ginutro7@pan-americana[.]com>
• "USPS Ground Support" <heuyj77035@annebonthuis[.]nl>
• "USPS Ground Support" <ppus053130@asante[.]org>
• "USPS Ground Support" <yreiwvgo05@lancasterchambersc[.]com>
• "USPS Ground" <bftany5074720@nationalpeening[.]com>
• "USPS Ground" <pyuijuwx03637@vividdragon[.]com>
• "USPS Ground" <rae86462653@roviba[.]com>
• "USPS Ground" <uhonatom64@hkduroparts[.]com>
• "USPS Ground" <wpyvehel0435183@martyfriedel[.]com>
• "USPS Ground" <wysk7615566@ccwest[.]com>
• "USPS Home Delivery" <ztqwyhov8670001@themcsgroup[.]com>
• "USPS International" <einw2840584@coreheatingandplumbing[.]co[.]uk>
• "USPS International" <obziuda01010226@emailsend[.]com[.]au>
• "USPS International" <unyyy47534@wmusic[.]com[.]cn>
• "USPS Parcels Delivery" <gragro6666344@taxatienieuws[.]nl>
• "USPS Parcels Delivery" <qis32113374@austindevelopments[.]com[.]au>
• "USPS Parcels Delivery" <xnzckreg26778165@nebo[.]edu>
• "USPS Priority Delivery" <aj0@arvakinsurancegroup[.]com>
• "USPS Priority Delivery" <ebipc68814@sodahub[.]in>
• "USPS Priority Parcels" <ihpuod25880856@fengshui-gateway[.]com>
• "USPS Priority Parcels" <oofaoirx24660673@oakleafproperties[.]com>
• "USPS Priority Parcels" <zgqyzip46533540@auth0rity[.]com>
• "USPS Priority" <gmtimgok26405527@cei[.]org>
• "USPS Priority" <gukoldv52771@marlinchemical[.]net>
• "USPS Priority" <maknoat50@villageacupunctureandmassage[.]com>
• "USPS Priority" <tea01227@dutchmanwoodworks[.]com>
• "USPS SameDay" <igaraki785@cpd.ci.concord[.]ca[.]us>
• "USPS SameDay" <oejjouut6583@russquackenbush[.]com>
• "USPS Station Management" <iujhahzd87632020@seafaring[.]ru>
• "USPS Station Management" <pujoqeys4@leydinfreyer[.]com[.]au>
• "USPS Support Management" <rnfynmrk1068052@blumentur[.]com[.]br>
• "USPS Support Management" <yhu024517@ssheladia[.]com>
• "USPS Support" <bigafith33784567@yeweyih[.]com[.]tw>
• "USPS Support" <lyxrinyt06306284@energy-store[.]it>
• "USPS Support" <p1470@exidasp[.]ca>
• "USPS Support" <ybuozwga0047@acme-atlanta[.]com>
• "USPS TechConnect" <eeupuaj58468604@stjoanhershey[.]org>
• "USPS TechConnect" <iwwj34280@byington[.]net>
• "USPS TechConnect" <ovwooud87864426@grandrapidssolargard[.]com>

 

EXAMPLES OF SUBJECT LINES:

• ATTENTION REQUIRED: PROBLEMS WITH YOUR ITEM
• AUTOMATED letter: moneyback info
• AUTOMATED notice regarding your order's location
• AUTOMATED notification concerning your shipment's location
• AUTOMATED USPS EMAIL CONCERNING YOUR SHIPMENT
• AUTOMATED USPS OFFICIAL LETTER REGARDING YOUR PARCEL
• AUTOMATIC notification: moneyback info
• AUTOMATIC USPS EMAIL IN REGARDS TO YOUR ORDER
• AUTOMATIC USPS OFFICIAL LETTER IN REGARDS TO YOUR PARCEL
• IMMEDIATE ACTION REQUIRED: your parcel's been postponed
• IMMEDIATE ATTENTION NEEDED: your shipment's been delayed
• IMPORTANT USPS MONEYBACK INFO
• IMPORTANT USPS MONEYBACK INFO CONCERNING YOUR ITEM
• IMPORTANT USPS system letter
• IMPORTANT: notice of delay of your package
• IMPORTANT: notice of delay of your parcel
• Major problems reported to the USPS support team
• Official letter from USPS support team
• Official notice from USPS support team
• Official notification concerning your item
• Official notification in regards to your package
• OFFICIAL USPS customer support letter
• OFFICIAL USPS MONEYBACK INFORMATION
• Official USPS notification in regards to your order
• OFFICIAL USPS REFUND INFORMATION
• PROMPT ACTION REQUIRED: your order's been postponed
• PROMPT ATTENTION NEEDED: your item's been delayed
• PROMPT ATTENTION NEEDED: your shipment's been postponed
• There has been an issue with your order
• There has been an issue with your shipment
• There's been an issue with your package
• URGENT: notification of delay of your order
• URGENT: notification of delay of your package
• USPS customer support letter: your package has been delayed
• USPS customer support team notification: your parcel has been postponed
• USPS official notice: big trouble with your order
• USPS official notification: serious problems with your shipment
• USPS OFFICIAL STATEMENT regarding your item
• USPS support notice: your shipment has been delayed
• USPS support statement: your shipment has been delayed
• USPS USER IMPORANT NEW INFORMATION IN REGARDS TO YOUR SHIPMENT
• WARNING: INFO ON A IMPENDING REFUND
• WARNING: you are legally obliged to review the status of your item
• WARNING: you are required to check the status of your shipment

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS FROM THE EMAILS:

• www.apui95[.]org - GET /download/lsf/53904208ab.html
• www.arcoglass[.]net - GET /3f60caba08.html
• www.ashnoortex.quantapress[.]com - GET /55351bbf17.html
• www.autumnmoon[.]ca - GET /wp-content/423fd4e375.html
• www.avukatiarama[.]com - GET /wp-content/uploads/2017/04/2f8d830cb0.html
• www.bgbaligatraveldiary[.]com - GET /wp-content/uploads/1f91a1c9ee.html
• www.bondhucomputers[.]com - GET /wp-content/uploads/9b759cb904.html
• www.cisportstherapy[.]com - GET /wp-content/53904208ab.html
• www.crmgestao[.]com[.]br - GET /wp-content/themes/converio/02186564fe.html
• www.develop[.]com[.]vc - GET /wp-content/themes/develop/fa7651d6c6.html
• www.fancytiehtx[.]com - GET /wp-content/plugins/wraper/91039cc1b6.html
• www.felixsolis[.]mobi - GET /2a48c06f46.html
• www.focalpointbdg[.]com - GET /wp-content/plugins/278498c41a.html
• www.forkliftlastik[.]org - GET /wp-content/themes/minimize/9b759cb904.html
• www.gonzalez-santiago[.]com - GET /photog/05bd94a5e0.html
• www.imtsus[.]com - GET /wp-content/plugins/wp-blog/2a48c06f46.html
• www.informatica-ag[.]it - GET /wp-content/uploads/58de0d46db.html
• www.kardeslermobilyaizmir[.]com - GET /2a48c06f46.html
• www.laboratorioweb[.]net - GET /wp-content/9b759cb904.html
• www.latifekuskay[.]com - GET /wp-content/plugins/b670991e46.html
• www.nti-rechten[.]nl - GET /wp-content/uploads/2017/04/c75ab8fb60.html
• www.pankajevents[.]com - GET /wp-content/plugins/wraper/3f60caba08.html
• www.pichat[.]info - GET /098925327d.html
• www.sailingmonea[.]com - GET /wp-content/uploads/62fd619f6e.html
• www.shenzhen-mro[.]com - GET /modules/mod_ariimageslidersa/c5f6be8373.html
• www.sotex[.]de - GET /0659cc424a.html
• www.spaziosportsrl[.]com - GET /wp-content/themes/sketch/2f8d830cb0.html
• www.teapotcollector[.]org - GET /wp-content/plugins/wraper/a4b3cada4b.html
• www.trikolkysmile[.]cz - GET /css/67ed877d86.html
• www.uiccoin[.]org - GET /9c1dfb513b.html

 

REDIRECT:

• 185.189.14[.]112 port 80 - servisedelivery[.]com - GET /tds
• 185.189.14[.]112 port 80 - servisedelivery[.]com - GET /tds/

 

FAKE WORD ONLINE SITE:

• 185.189.14[.]112 port 80 - statusdelivery[.]com - GET /bot14/lgen.php
• 185.189.14[.]112 port 80 - statusdelivery[.]com - GET /bot14/jgen.php

 

PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE:

• atrium-nieruchomosci[.]pl - GET /js/js/jscalendar-1.0/lang/counter
• js-electronics[.]be - GET /tmp/yoo_venture_j25/warp/libraries/counter
• lecamorariu[.]ro - GET /counter
• protectie-electromagnetica[.]ro - GET /wp-content/themes/twentythirteen/languages/counter
• smulpapentocht[.]be - GET /administrator/templates/hathor/less/counter

 

MOLE RANSOMWARE POST-INFECTION TRAFFIC:

• 94.198.98[.]20 port 80 - 94.198.98[.]20 - GET /images/gif/info-static.php

 

EMAIL ADDRESSES FROM THE MOLE RANSOMWARE DECRYPTION INSTRUCTIONS:

• AugustSteen@writeme[.]com
• auguststeen@india[.]com

 

SOME OF THE KOVTER POST-INFECTION TRAFFIC:

• 46.211.17[.]153 port 80 - 46.211.17[.]153 - POST /
• 119.81.249[.]228 port 80 - 119.81.249[.]228 - POST /
• 185.199.177[.]90 port 80 - 185.199.177[.]90 - POST /
• 23.73.153[.]97 port 443 - HTTPS (TLSv1.2) traffic
• various IP addresses over port 443 and 8080 - Attempted TCP connections

 

MALWARE

Shown above:  Zip archive disguised as an Office plugin downloaded from today's fake Word Online page.

 

Shown above:  Each downloaded zip archive contains a .js file.

 

SAMPLES OF ZIP ARCHIVES DOWNLOADED FROM THE FAKE WORD ONLINE SITE:

• 31e56d6c14ce7c080b892d121268f30f5c37501773c82ec21fd25963b98d8238 - plugin_KB_47092.zip
• 5278a3a1ce4f2ffb6edf5cc6a1cb6b56477f8e87d7e151998b45b1d6ff685a19 - plugin_KB_57676.zip
• e0818a03a897f47113970e21b575f9725eac608b1dc4eda4f3470ea3d25f8199 - plugin_KB_66614.zip
• d405a7811ce8341c258fabf05da6d88a9b204b9b9c47bedbefe40a318d0f5d8e - plugin_KB_72013.zip
• f69b69ac673ffee8473950360e8296d855cb75f6d6ab00cde5d0c4c58c6b7c8c - plugin_KB_81638.zip
• 49b9050e71aa65568e99125bc40abd5984382db5d39dcd55a2409664ca948999 - plugin_KB_89567.zip
• 1e5aac17ab222e7351b08fd95503839414e75f80ea318212950f81a8c826cba8 - plugin_KB_92384.zip

 

.JS FILES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

• 0f6ec40363f669ff8c2a040cea7519f3d2ec44d30549ae8824e84781173dca25 - plugin_KB_47092.js
• 5d94ed7fc42411bc5f807ec869800533ad718bafb93c5942cbf7766dacf8a29e - plugin_KB_57676.js
• 7ee8913af927d70ef84e1ffb8a132cf554e04a388900ba733f651eb685bf8a17 - plugin_KB_66614.js
• 8dce263108614871fd3f6a799279c1da7e7d26ef1544183976dd692b86da5c6c - plugin_KB_72013.js
• 8e61d88a02736abb8e1ba76d80f12ba68bb4e4e914be8c5049b0358e3a31e2e9 - plugin_KB_81638.js
• 14ea062ca146ed50b89faf437bb801367788e95857f73c92c5fbada47525fda4 - plugin_KB_89567.js
• 94aaf6ff9192056b6177531b391ea00a701ee8fbb35ba26946ca8710d1eb9c13 - plugin_KB_92384.js

 

SAMPLES OF MALWARE DOWNLOADED BY THE .JS FILES:

• 0a3c26a388e6ede8e08a33ddc3c9aece079d5d6c752854e16d216e134ed3d357 - exe1.exe - Mole ransomware
• f9babd5f229b59221245ac36506c4524ff7ee362a8d5c126004ace4035f53918 - exe1.exe - Mole ransomware
• 1ba0eeecd16eb7e3a7753f5fb93e95e13de6fc42de684bb7eaf0b6dfe4d94278 - exe2.exe - Kovter
• acef8f1ccc857e4bb97ae80fcec4b1f50c76c6888a030ece66c9d53ebebbcde7 - exe2.exe - Kovter
• dc46009d1a33ba4ad8272f3e13b226825cdcb70ba4b3d20ae7e054e0a8adbf1d - exe2.exe - Kovter

 

IMAGES

Shown above:  Screenshot of an infected Windows desktop.

 

Click here to return to the main page.