2018-01-16 - MALSPAM PUSHES ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-01-16-malspam-pushing-Zeus-Panda-Banker-traffic.pcap   (2,007,479 bytes)
  • 2018-01-16-Zeus-Panda-Banker-binary.exe   (12,832 bytes)
  • 2018-01-16-malspam-pushing-Zeus-Panda-Banker-1253-UTC.eml   (122,290 bytes)
  • 2018-01-18-malspam-attachment-gennaio_sales.xls   (88,576 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  The email attachment with the malicious macro.  Macros need to be enabled to start this infection chain

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTPS URLs from the infection as seen in Fiddler web debugger.

 

INFECTION TRAFFIC:

 

MALWARE

EMAIL ATTACHMENT:

FOLLOW-UP MALWARE:

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.

 


Shown above:  Registry key and associated malware persistent on an infected Windows host.

 


Shown above:  Another example of the malware persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.