2018-05-25 - NECURS BOTNET MALSPAM PUSHES FLAWED AMMYY RAT

ASSOCIATED FILES:

  • 2018-05-25-Necurs-Botnet-malspam-tracker.csv   1,104 bytes
  • 2018-05-25-Necurs-Botnet-malspam-7-email-examples.txt   8,802 bytes
  • 2018-05-25-Necurs-Botnet-malspam-sends-Flawwed-Ammyy.pcap   1,056,042 bytes
  • 2018-05-25-Downloader-for-Flawed-Ammyy-from-Necurs-Botnet-malspam.exe   126,464 bytes
  • 2018-05-25-Flawed-Ammyy-from-Necurs-Botnet-malspam.exe   856,064 bytes
  • 2018-05-25-Necurs-Botnet-malspam-attachment-example.iqy.txt   49 bytes
  • 2018-05-25-scheduled-task-to-keep-Flawed-Ammyy-persistent-Microsoft_Window_Center.xml.txt   3,212 bytes

NOTES:

 

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain:

 

EMAIL


Shown above:  Screenshot of the spreadsheet tracker.

 


Shown above:  Screenshot from one of the emails.

 

EMAILS COLLECTED:

(READ: Date/Time -- Received: from -- Sender (spoofed) -- Subject line -- Attachment name)

 


Shown above:  The attached IQY file when double-clicked.

 


Shown above:  Actual contents of the attached IQY file shown in a text editor.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 


Shown above:  TCP stream for the first HTTP request caused by opening the IQY file in Microsoft Excel.

 


Shown above:  The second HTTP request returned script for Powershell.

 


Shown above:  The third HTTP request returned the initial Windows executable.

 


Shown above:  The fourth HTTP request returned a Flawed Ammyy executable, but it was encrypted as it came over the network.

 


Shown above:  Callback traffic caused by the Flawed Ammyy executable.

 

FILE HASHES

MALSPAM ATTACHMENTS:

INITIAL EXECUTABLE:

FOLLOW-UP EXECUTABLE:

 

ADDITIONAL IMAGES


Shown above:  Scheduled task to keep the Flawed Ammyy infection persistent.

 


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.