2018-09-06 - MALSPAM WITH PASSWORD-PROTECTED WORD DOC PUSHES AZORULT THEN NEUTRINO
ASSOCIATED FILES:
- 2018-09-04-malspam-with-password-protected-Word-doc.eml.zip 31.9 kB (31,905 bytes)
- 2018-09-06-infection-traffic-from-password-protected-Word-doc.pcap.zip 4.6 MB (4,568,447 bytes)
- 2018-09-06-malware-from-password-protected-Word-doc-infection.zip 910 kB (909,578 bytes)
NOTES:
- My last ISC diary on this was on 2018-08-15 (link) when it was pushing AZORult and Hermes ransomware.
- My last blog post on this was on 2018-08-21 (link) when it was pushing Neutrino malware.
- Today, the same type of malspam pushed AZORult, then AZORult pushed Neutrino malware.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs and domains:
- hxxp[:]//209.141.59[.]124/au3.exe
- hxxp[:]//209.141.59[.]124/nn.exe
- microsoft-update-server[.]bit
- securityupdateserver4[.]com
EMAIL EXAMLE
MALSPAM EMAIL HEADERS:
Received: from mail-out-01.crystone[.]se (mail-out-01.crystone[.]se [93.90.145[.]11])
by [removed] (envelope-from <info@cabwebuyhomes[.]com>) [removed];
Tue Sep 4 12:47:00 2018 +0000
Received: from [127.0.0.1] (unknown [217.23.13[.]51])
by mail-out-02.crystone[.]se (Halon) with ESMTPSA
id 9a0fb5b6-b040-11e8-8870-005056912ff2;
Tue, 04 Sep 2018 14:46:54 +0200 (CEST)
Date: Tue, 4 Sep 2018 14:46:55 +0200
Subject: Invoice Due
From: "Pilar" <info@cabwebuyhomes[.]com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--_com.android.email_3033644502435"
Message-ID: <tsosp7oi5ittzf3y3xiqjvs7.1329631939804@cabwebuyhomes[.]com>
This is a multi-part message in MIME format
MALSPAM MESSAGE TEXT:
Hello,
Please advise on the payment status for the following invoice as we found it past due 75 days in our system.
Password: 1234
Please let us know if you have any questions.
Thanks!
Pilar Joe
President
(604)820-8262 ext 247
(604)820-8881 -fax!
TRAFFIC
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 209.141.59[.]124 port 80 - 209.141.59[.]124 - GET /au3.exe
- 47.254.203[.]38 port 80 - microsoft-update-server[.]bit - POST /index.php
- 209.141.59[.]124 port 80 - 209.141.59[.]124 - GET /nn.exe
- 47.254.203[.]38 port 80 - securityupdateserver4[.]com - POST /tasks.php
- 47.254.203[.]38 port 80 - securityupdateserver4[.]com - GET /modules/x64payload.core
- 47.254.203[.]38 port 80 - securityupdateserver4[.]com - GET /modules/x86payload.core
- 151.80.147[.]153 port 53 (UDP) - DNS query for microsoft-update-server[.]bit - response: Server failure
- 91.217.137[.]44 port 53 (UDP) - DNS query for microsoft-update-server[.]bit - response: 47.254.203[.]38
- 8.8.8[.]8 port 53 (UDP) - DNS query for securityupdateserver4[.]com - response: 47.254.203[.]38
MALWARE
MALWARE FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: b4ceab5877e9854d4888c5277c63d2ae139b88d299a82bf7165e88c73f6ec0a9
File size: 39,424 bytes
File name: invoice.doc
File description: Password-protected Word doc attachmed to the malspam, it has macro for follow-up malware
- SHA256 hash: 079c39aed1a9a96f62648e5cb5c5e2e9516154821d613b0e38c93e2672b214fa
File size: 782,336 bytes
File location: C:\Users\[username]\AppData\Local\Temp\qwerty2.exe
File description: AZORult malware retrieved by the Word macro
- SHA256 hash: 82930364313f3112b8d92891e877db4f8d579c6de8eb64f480ac5387c65eb490
File size: 782,336 bytes
File location: C:\Users\[username]\AppData\Local\Temp\nn.exe
File description: Neutrino malware retrieved by AZORult
WINDOWS REGSITRY UPDATE FROM THE INFECTED WINDOWS HOST:
- Registry key: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Shell
Value type: REG_SZ
Value data: explorer.exe, C:\Users\[username]\AppData\Local\Temp\nn.exe
IMAGES
Shown above: Screenshot from the email sample with the password-protected Word doc attached.
Shown above: Screenshot of the unlocked Word doc.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Neutrino malware made persistent on the infected Windows host.
Click here to return to the main page.