2018-08-21 - MORE MALSPAM WITH PASSWORD-PROTECTED WORD DOCS, NOW PUSHING NEUTRINO MALWARE

ASSOCIATED FILES:

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URL and domain:

 

EMAIL EXAMLE

MALSPAM EMAIL HEADERS AND MESSAGE TEXT:

Received: from 180therapies.info (180therapies.info [46.161.42.25]) by [removed] for [removed];
        Tue, 21 Aug 2018 20:23:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mail;
  d=180therapies.info;
  h=MIME-Version:To:From:Subject:Date:Content-Type:Message-ID;
  i=info@180therapies.info;
  bh=C+YwAWrS/m12Cl8g0ZKkP1XcAVqiLzX6YVZJyFzsvjU=;
  b=UmMhQIqggO2l5Gfm5f/zAdowSwpYZTyS0uee9fQtGNH5CJPnBFlqWffVUKuO18krd4XSdpnl1u+Q
  QPb5m8h+MnGjD6Wo9inaJ/VLiWAE/Ufu1W749yFh0IgTb9+y9fZjwcSQfkwABsYGLk9Q25ACuMKc
  Sg8lUa0bECYZ2V+0DQQ=
MIME-Version: 1.0
To:
[removed]
From: Lurlene Zeh =?UTF-8?B?wqA=?= <info@180therapies.info>
Subject: Invoice Due
Date: Tue, 21 Aug 2018 19:15:58 +0200
Importance: normal
X-Priority: 3
Content-Type: multipart/mixed;
  boundary="_99B7D467-63E9-37FE-5929-310C12BECFEB_"
Message-ID: <p3t0l0l-utzqfe-C1@180therapies.info>

This is a multi-part message in MIME format

--_99B7D467-63E9-37FE-5929-310C12BECFEB_
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64

VGhpcyBpcyB0byBpbmZvcm0geW91IHRoYXQgdGhlcmUgaXMgc3RpbGwgYW4gb3V0c3RhbmRpbmcg
cGF5bWVudCBvZiAkMTIsMzQwIFVTRC4gV2Ugd291bGQgYXBwcmljaWF0ZSBpdCBpZiB0aGlzIGNv
dWxkIGJlIHNldHRsZWQgbm8gbGF0ZXIgdGhhbiB0aGUgMjB0aC4NCg0KSSBoYXZlIGF0dGFjaGVk
IHRoZSBjdXJyZW50IGludm9pY2UgYW5kIHRoZSBwYXNzd29yZCBmb3IgdGhlIGRvY3VtZW50IGlz
OiAxMjM0DQoNClRoYW5rIHlvdS4NCg0KTHVybGVuZSBaZWggwqANClByb3RlcnJhDQpBY2NvdW50
cyBQYXlhYmxlDQoxODE1IFJvbGxpbnMgUm9hZCwgIA0KQnVybGluZ2FtZSwgQ0EgOTQwMTANClBo
b25lOiA4NjQtNDM4LTAwMDANCkV4dDogODE5MA0K

--_99B7D467-63E9-37FE-5929-310C12BECFEB_
Content-Type: application/msword;
        name="invoice.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="invoice.doc"

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

 

WINDOWS REGSITRY UPDATE FROM THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Screenshot from the email sample with the password-protected Word doc attached.

 


Shown above:  Screenshot of the unlocked Word doc.

 


Shown above:  Traffic from an infection filtered in Wireshark and Security Onion using Sguil, Suricata, and the EmergingThreats Pro ruleset.

 


Shown above:  Neutrino malware made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.