2017-08-07 - FAKE BBB MALSPAM USES GOO.GL LINKS TO SEND JAVASCRIPT FILE

ASSOCIATED FILES:

  • 2017-08-07-fake-BBB-malspam-141743-UTC.eml   (2,010 bytes)
  • 2017-08-07-fake-BBB-malspam-143725-UTC.eml   (1,407 bytes)
  • 2017-08-07-fake-BBB-malspam-143854-UTC.eml   (1,916 bytes)
  • 2017-08-07-fake-BBB-malspam-143855-UTC.eml   (1,676 bytes)
  • 2017-08-07-fake-BBB-malspam-143918-UTC.eml   (1,499 bytes)
  • 2017-08-07-fake-BBB-malspam-143929-UTC.eml   (1,624 bytes)
  • 2017-08-07-fake-BBB-malspam-143931-UTC.eml   (1,642 bytes)
  • 2017-08-07-fake-BBB-malspam-143932-UTC.eml   (1,673 bytes)
  • 2017-08-07-fake-BBB-malspam-144109-UTC.eml   (1,690 bytes)
  • 2017-08-07-fake-BBB-malspam-144314-UTC.eml   (1,646 bytes)
  • 2017-08-07-fake-BBB-malspam-traffic.pcap   (67,067 bytes)
  • 2017-08-07-metrics.kz-analytics-google-ter-logs.txt   (43,850 bytes)
  • 40774.doc   (119,296 bytes)
  • 41041.txt.dll   (553,029 bytes)
  • 50151.txt.dll   (233,984 bytes)
  • Compliant_29769200-352.js   (498,846 bytes)
  • D6593BD61CC8.txt   (7,375 bytes)

 

INTRODUCTION

Earlier today, two different people notified the Internet Storm Center (ISC) through our contact form about malicious spam (malspam) impersonating the Better Business Bureau (BBB).  These fake BBB emails had links using the Google URL shortner that delivered a malicious JavaScript (.js) file.

In both cases, the fake BBB malspam was sent to personnel in the targeted organizations' HR departments.  I only saw HTTPS infection traffic generated by this malspam, and I didn't notice any alerts on the network traffic.

This blog post reviews infection activity caused by this malspam.  My thanks to the two individuals who provided me examples of the emails.

 

THE EMAILS


Shown above:  Screenshot from one of the malicious emails.

 

These malicious emails were tailored to the targeted companies.  The recipient's name was in the message text, and the company name was found in the subject line and message text.  The senders were random, indicating this might be botnet-based malspam.  I sanitized 10 emails from this malspam, and they are available in the email archive for this blog post.

READ:  Date/Time - Sending mail server or host (IP address) -- Sending email address (possibly spoofed)

 

Examples of the subject lines follow:

 

I found 29 goo.gl URLs that led to malware.  I've "de-fanged" them in the list below:

 

GRABBING A JAVASCRIPT FILE FROM AN EMAIL LINK

The goo.gl URLs all redirected to the same URL from bbbcompliance.com that provided a JavaScript file.  Bbbcompliance.com was registered through NameCheap on 2017-08-03 (only 4 days ago as I write this).  The JavaScript file showed as 487 kB when downloaded through Internet Explorer.


Shown above:  Receiving the JavaScript file after clicking a goo.gl link in one of the emails.

 


Shown above:  Start of the contents for the downloaded JavaScript file.

 


Shown above:  Double-clicking on the JavaScript file in Windows revealed a publisher.

 

RUNNING THE DOWNLOADED JAVASCRIPT FILE

Double-clicking the JavaScript file on a Windows desktop caused a decoy Word document to appear on the victim's desktop.  Meanwhile, other more sinister activity happened behind the scenes.


Shown above:  The decoy Word document is a fake abuse complaint form.

 

As shown below, a DLL file was dropped alongside the decoy Word document in the user's AppData\Roaming directory.  The DLL file was dropped with a .txt file extension, and the following process was noted in association with this file:


Shown above:  The first DLL file noted during this infection.

 

After approximately 2 minutes, the DLL file disappeared, and a different file with a .txt extension replaced it.  This new file was a text file with JavaScript.  The following process was noted in association with this text file:


Shown above:  Another file appeared after the previous one disappeared.

 

After another minute or two, I noticed another process associated with some post-infection traffic:

 

A second DLL was downloaded from metrics.kz and stored with a .txt file extension, but I didn't catch the associated process.

 

INFECTION TRAFFIC


Shown above:  The infection traffic as noted in Fiddler.

 


Shown above:  The infection traffic, filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

DOWNLOADED JAVASCRIPT FILE:

DROPPED DLL FILE (1 OF 2):

DROPPED DLL FILE (2 OF 2):

DECOY WORD DOCUMENT (NOT INHERENTLY MALICIOUS):

 

FINAL NOTES

This infection traffic is interesting, because it is all HTTPS.  No URLs are available unless you have HTTPS decryption and can look at the actual HTTPS requests.  It seems to be an effective way to avoid most Snort- or Suricata-based alerts based on the network traffic.

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.