2017-04-26 - MOLE RANSOMWARE AND KOVTER INFECTIONS FROM EMAILS IMPERSONATING USPS
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-04-26-Mole-ransomware-and-Kovter-infections-3-pcaps.zip 922.5 kB (922,459 bytes)
- 2017-04-26-USPS-themed-malspam-tracker.csv.zip 3.3 kB (3,344 bytes)
- 2017-04-26-USPS-themed-emails-and-associated-malware.zip 1.2 MB (1,206,318 bytes)
BACKGROUND ON THIS CAMPAIGN:
- My in-depth write-up on this campaign is at: Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics
- 2017-04-11 - Internet Storm Center (ISC) InfoSec Forums: Malspam on 2017-04-11 pushes yet another ransomware variant
- 2017-04-12 - BleepingComputer: Mole Ransomware Distributed Through Fake online Word Docs
NOTES FOR TODAY:
- The last time I looked into this, it was "Parking Service" malspam.
- Today, we're back to USPS-themed malspam linking to fake Word Online sites for zipped .js files disguised as Office plugins.
- Each downloaded zip archive is a different file name and a different file hash (same with the extracted .js files).
- I only saw Mole ransomware (exe1.exe) and Kovter (exe2.exe) as the follow-up malware today.
Shown above: Flowchart for this infection traffic.
EMAILS
Shown above: Screenshot of one of the emails seen today.
DATES/TIMES:
- Wednesday 2017-04-26 as early as 12:28 UTC through at least 21:54 UTC
EXAMPLES OF SENDING ADDRESSES (ALL SPOOFED):
- "USPS Express Delivery" <henohe32@caverntours[.]com>
- "USPS Express Delivery" <kafweh515171@audioactivesound[.]com>
- "USPS Express Delivery" <lai82@impresos-gdl[.]com>
- "USPS Express Delivery" <sesaifud45660083@tangentindia[.]com>
- "USPS Express Delivery" <viyhye183@kcn[.]jp>
- "USPS Express Delivery" <vyjaqpu3707847@winebox[.]com>
- "USPS Express Delivery" <xokfiuf15355858@bariartesanias[.]com[.]ar>
- "USPS Ground Support" <ginutro7@pan-americana[.]com>
- "USPS Ground Support" <heuyj77035@annebonthuis[.]nl>
- "USPS Ground Support" <ppus053130@asante[.]org>
- "USPS Ground Support" <yreiwvgo05@lancasterchambersc[.]com>
- "USPS Ground" <bftany5074720@nationalpeening[.]com>
- "USPS Ground" <pyuijuwx03637@vividdragon[.]com>
- "USPS Ground" <rae86462653@roviba[.]com>
- "USPS Ground" <uhonatom64@hkduroparts[.]com>
- "USPS Ground" <wpyvehel0435183@martyfriedel[.]com>
- "USPS Ground" <wysk7615566@ccwest[.]com>
- "USPS Home Delivery" <ztqwyhov8670001@themcsgroup[.]com>
- "USPS International" <einw2840584@coreheatingandplumbing[.]co[.]uk>
- "USPS International" <obziuda01010226@emailsend[.]com[.]au>
- "USPS International" <unyyy47534@wmusic[.]com[.]cn>
- "USPS Parcels Delivery" <gragro6666344@taxatienieuws[.]nl>
- "USPS Parcels Delivery" <qis32113374@austindevelopments[.]com[.]au>
- "USPS Parcels Delivery" <xnzckreg26778165@nebo[.]edu>
- "USPS Priority Delivery" <aj0@arvakinsurancegroup[.]com>
- "USPS Priority Delivery" <ebipc68814@sodahub[.]in>
- "USPS Priority Parcels" <ihpuod25880856@fengshui-gateway[.]com>
- "USPS Priority Parcels" <oofaoirx24660673@oakleafproperties[.]com>
- "USPS Priority Parcels" <zgqyzip46533540@auth0rity[.]com>
- "USPS Priority" <gmtimgok26405527@cei[.]org>
- "USPS Priority" <gukoldv52771@marlinchemical[.]net>
- "USPS Priority" <maknoat50@villageacupunctureandmassage[.]com>
- "USPS Priority" <tea01227@dutchmanwoodworks[.]com>
- "USPS SameDay" <igaraki785@cpd.ci.concord[.]ca[.]us>
- "USPS SameDay" <oejjouut6583@russquackenbush[.]com>
- "USPS Station Management" <iujhahzd87632020@seafaring[.]ru>
- "USPS Station Management" <pujoqeys4@leydinfreyer[.]com[.]au>
- "USPS Support Management" <rnfynmrk1068052@blumentur[.]com[.]br>
- "USPS Support Management" <yhu024517@ssheladia[.]com>
- "USPS Support" <bigafith33784567@yeweyih[.]com[.]tw>
- "USPS Support" <lyxrinyt06306284@energy-store[.]it>
- "USPS Support" <p1470@exidasp[.]ca>
- "USPS Support" <ybuozwga0047@acme-atlanta[.]com>
- "USPS TechConnect" <eeupuaj58468604@stjoanhershey[.]org>
- "USPS TechConnect" <iwwj34280@byington[.]net>
- "USPS TechConnect" <ovwooud87864426@grandrapidssolargard[.]com>
EXAMPLES OF SUBJECT LINES:
- ATTENTION REQUIRED: PROBLEMS WITH YOUR ITEM
- AUTOMATED letter: moneyback info
- AUTOMATED notice regarding your order's location
- AUTOMATED notification concerning your shipment's location
- AUTOMATED USPS EMAIL CONCERNING YOUR SHIPMENT
- AUTOMATED USPS OFFICIAL LETTER REGARDING YOUR PARCEL
- AUTOMATIC notification: moneyback info
- AUTOMATIC USPS EMAIL IN REGARDS TO YOUR ORDER
- AUTOMATIC USPS OFFICIAL LETTER IN REGARDS TO YOUR PARCEL
- IMMEDIATE ACTION REQUIRED: your parcel's been postponed
- IMMEDIATE ATTENTION NEEDED: your shipment's been delayed
- IMPORTANT USPS MONEYBACK INFO
- IMPORTANT USPS MONEYBACK INFO CONCERNING YOUR ITEM
- IMPORTANT USPS system letter
- IMPORTANT: notice of delay of your package
- IMPORTANT: notice of delay of your parcel
- Major problems reported to the USPS support team
- Official letter from USPS support team
- Official notice from USPS support team
- Official notification concerning your item
- Official notification in regards to your package
- OFFICIAL USPS customer support letter
- OFFICIAL USPS MONEYBACK INFORMATION
- Official USPS notification in regards to your order
- OFFICIAL USPS REFUND INFORMATION
- PROMPT ACTION REQUIRED: your order's been postponed
- PROMPT ATTENTION NEEDED: your item's been delayed
- PROMPT ATTENTION NEEDED: your shipment's been postponed
- There has been an issue with your order
- There has been an issue with your shipment
- There's been an issue with your package
- URGENT: notification of delay of your order
- URGENT: notification of delay of your package
- USPS customer support letter: your package has been delayed
- USPS customer support team notification: your parcel has been postponed
- USPS official notice: big trouble with your order
- USPS official notification: serious problems with your shipment
- USPS OFFICIAL STATEMENT regarding your item
- USPS support notice: your shipment has been delayed
- USPS support statement: your shipment has been delayed
- USPS USER IMPORANT NEW INFORMATION IN REGARDS TO YOUR SHIPMENT
- WARNING: INFO ON A IMPENDING REFUND
- WARNING: you are legally obliged to review the status of your item
- WARNING: you are required to check the status of your shipment
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS FROM THE EMAILS:
- www.apui95[.]org - GET /download/lsf/53904208ab.html
- www.arcoglass[.]net - GET /3f60caba08.html
- www.ashnoortex.quantapress[.]com - GET /55351bbf17.html
- www.autumnmoon[.]ca - GET /wp-content/423fd4e375.html
- www.avukatiarama[.]com - GET /wp-content/uploads/2017/04/2f8d830cb0.html
- www.bgbaligatraveldiary[.]com - GET /wp-content/uploads/1f91a1c9ee.html
- www.bondhucomputers[.]com - GET /wp-content/uploads/9b759cb904.html
- www.cisportstherapy[.]com - GET /wp-content/53904208ab.html
- www.crmgestao[.]com[.]br - GET /wp-content/themes/converio/02186564fe.html
- www.develop[.]com[.]vc - GET /wp-content/themes/develop/fa7651d6c6.html
- www.fancytiehtx[.]com - GET /wp-content/plugins/wraper/91039cc1b6.html
- www.felixsolis[.]mobi - GET /2a48c06f46.html
- www.focalpointbdg[.]com - GET /wp-content/plugins/278498c41a.html
- www.forkliftlastik[.]org - GET /wp-content/themes/minimize/9b759cb904.html
- www.gonzalez-santiago[.]com - GET /photog/05bd94a5e0.html
- www.imtsus[.]com - GET /wp-content/plugins/wp-blog/2a48c06f46.html
- www.informatica-ag[.]it - GET /wp-content/uploads/58de0d46db.html
- www.kardeslermobilyaizmir[.]com - GET /2a48c06f46.html
- www.laboratorioweb[.]net - GET /wp-content/9b759cb904.html
- www.latifekuskay[.]com - GET /wp-content/plugins/b670991e46.html
- www.nti-rechten[.]nl - GET /wp-content/uploads/2017/04/c75ab8fb60.html
- www.pankajevents[.]com - GET /wp-content/plugins/wraper/3f60caba08.html
- www.pichat[.]info - GET /098925327d.html
- www.sailingmonea[.]com - GET /wp-content/uploads/62fd619f6e.html
- www.shenzhen-mro[.]com - GET /modules/mod_ariimageslidersa/c5f6be8373.html
- www.sotex[.]de - GET /0659cc424a.html
- www.spaziosportsrl[.]com - GET /wp-content/themes/sketch/2f8d830cb0.html
- www.teapotcollector[.]org - GET /wp-content/plugins/wraper/a4b3cada4b.html
- www.trikolkysmile[.]cz - GET /css/67ed877d86.html
- www.uiccoin[.]org - GET /9c1dfb513b.html
REDIRECT:
- 185.189.14[.]112 port 80 - servisedelivery[.]com - GET /tds
- 185.189.14[.]112 port 80 - servisedelivery[.]com - GET /tds/
FAKE WORD ONLINE SITE:
- 185.189.14[.]112 port 80 - statusdelivery[.]com - GET /bot14/lgen.php
- 185.189.14[.]112 port 80 - statusdelivery[.]com - GET /bot14/jgen.php
PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE:
- atrium-nieruchomosci[.]pl - GET /js/js/jscalendar-1.0/lang/counter
- js-electronics[.]be - GET /tmp/yoo_venture_j25/warp/libraries/counter
- lecamorariu[.]ro - GET /counter
- protectie-electromagnetica[.]ro - GET /wp-content/themes/twentythirteen/languages/counter
- smulpapentocht[.]be - GET /administrator/templates/hathor/less/counter
MOLE RANSOMWARE POST-INFECTION TRAFFIC:
- 94.198.98[.]20 port 80 - 94.198.98[.]20 - GET /images/gif/info-static.php
EMAIL ADDRESSES FROM THE MOLE RANSOMWARE DECRYPTION INSTRUCTIONS:
- A u g u s t S t e e n @ w r i t e m e [.] c o m