2018-08-21 - MORE MALSPAM WITH PASSWORD-PROTECTED WORD DOCS, NOW PUSHING NEUTRINO MALWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-08-21-malspam-with-password-protected-Word-doc-1715-UTC.eml.zip   32.1 kB (32,078 bytes)
• 2018-08-21-infection-traffic-from-password-protected-Word-doc.pcap.zip   423 kB (422,979 bytes)
• 2018-08-21-malware-from-password-protected-Word-doc-infection.zip   258 kB (258,335 bytes)

NOTES:

• I've been documenting this type of malspam with password-protected Word docs whenever I run across an example.
• Last week on 2018-08-15, I found a few examples similar to today's malspam, which I documented in this ISC diary.
• At that time, they were pushing AZORult and Hermes ransomware.
• Today, the same type of malspam pushed Neutrino malware.
• Today's sample is very VM-aware, and it's also very aware of the IP you're coming from.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URL and domain:

• hxxp[:]//209.141.59[.]124/1.exe
• securityupdateserver4[.]com

 

EMAIL EXAMLE

MALSPAM EMAIL HEADERS AND MESSAGE TEXT:

Received: from 180therapies[.]info (180therapies.info [46.161.42[.]25]) by [removed] for [removed];
        Tue, 21 Aug 2018 20:23:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mail;
  d=180therapies[.]info;
  h=MIME-Version:To:From:Subject:Date:Content-Type:Message-ID;
  i=info@180therapies[.]info;
  bh=C+YwAWrS/m12Cl8g0ZKkP1XcAVqiLzX6YVZJyFzsvjU=;
  b=UmMhQIqggO2l5Gfm5f/zAdowSwpYZTyS0uee9fQtGNH5CJPnBFlqWffVUKuO18krd4XSdpnl1u+Q
  QPb5m8h+MnGjD6Wo9inaJ/VLiWAE/Ufu1W749yFh0IgTb9+y9fZjwcSQfkwABsYGLk9Q25ACuMKc
  Sg8lUa0bECYZ2V+0DQQ=
MIME-Version: 1.0
To: [removed]
From: Lurlene Zeh =?UTF-8?B?wqA=?= <info@180therapies[.]info>
Subject: Invoice Due
Date: Tue, 21 Aug 2018 19:15:58 +0200
Importance: normal
X-Priority: 3
Content-Type: multipart/mixed;
  boundary="_99B7D467-63E9-37FE-5929-310C12BECFEB_"
Message-ID: <p3t0l0l-utzqfe-C1@180therapies[.]info>

This is a multi-part message in MIME format

--_99B7D467-63E9-37FE-5929-310C12BECFEB_
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64

VGhpcyBpcyB0byBpbmZvcm0geW91IHRoYXQgdGhlcmUgaXMgc3RpbGwgYW4gb3V0c3RhbmRpbmcg
cGF5bWVudCBvZiAkMTIsMzQwIFVTRC4gV2Ugd291bGQgYXBwcmljaWF0ZSBpdCBpZiB0aGlzIGNv
dWxkIGJlIHNldHRsZWQgbm8gbGF0ZXIgdGhhbiB0aGUgMjB0aC4NCg0KSSBoYXZlIGF0dGFjaGVk
IHRoZSBjdXJyZW50IGludm9pY2UgYW5kIHRoZSBwYXNzd29yZCBmb3IgdGhlIGRvY3VtZW50IGlz
OiAxMjM0DQoNClRoYW5rIHlvdS4NCg0KTHVybGVuZSBaZWggwqANClByb3RlcnJhDQpBY2NvdW50
cyBQYXlhYmxlDQoxODE1IFJvbGxpbnMgUm9hZCwgIA0KQnVybGluZ2FtZSwgQ0EgOTQwMTANClBo
b25lOiA4NjQtNDM4LTAwMDANCkV4dDogODE5MA0K

--_99B7D467-63E9-37FE-5929-310C12BECFEB_
Content-Type: application/msword;
        name="invoice.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="invoice.doc"

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 209.141.59[.]124 port 80 - 209.141.59[.]124 - GET /1.exe
• 47.74.40[.]118 port 80 - securityupdateserver4[.]com - POST /tasks.php
• 47.74.40[.]118 port 80 - securityupdateserver4[.]com - GET /modules/x64payload.core
• 47.74.40[.]118 port 80 - securityupdateserver4[.]com - GET /modules/x86payload.core

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash: 07149d3a048c218a69d5ea0f1093c164623b2382baa0612ad94b56d9a01d256d
  File size: 39,424 bytes
  File name: invoice.doc
  File description: Password-protected Word doc attachmed to the malspam

• SHA256 hash: 66d1ee6634c00685505e93d2c5f3cd30ab77ecaf5698774715dc95decb76970b
  File size: 397,312 bytes
  File location: C:\Users\[username]\AppData\Local\Temp\qwerty2.exe

 

WINDOWS REGSITRY UPDATE FROM THE INFECTED WINDOWS HOST:

• Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Value name: (Default)
  Value type: REG_SZ
  Value data: Rundll32.exe SHELL32.DLL,ShellExec_RunDLL C:\Users\[username]\AppData\Local\Temp\qwerty2.exe

 

IMAGES

Shown above:  Screenshot from the email sample with the password-protected Word doc attached.

 

Shown above:  Screenshot of the unlocked Word doc.

 

Shown above:  Traffic from an infection filtered in Wireshark and Security Onion using Sguil, Suricata, and the EmergingThreats Pro ruleset.

 

Shown above:  Neutrino malware made persistent on the infected Windows host.

 

Click here to return to the main page.