2018-09-06 - MALSPAM WITH PASSWORD-PROTECTED WORD DOC PUSHES AZORULT THEN NEUTRINO

ASSOCIATED FILES:

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

 

EMAIL EXAMLE

MALSPAM EMAIL HEADERS:

Received: from mail-out-01.crystone.se (mail-out-01.crystone.se [93.90.145.11])
        by
[removed] (envelope-from <info@cabwebuyhomes.com>) [removed];
        Tue Sep  4 12:47:00 2018 +0000
Received: from [127.0.0.1] (unknown [217.23.13.51])
        by mail-out-02.crystone.se (Halon) with ESMTPSA
        id 9a0fb5b6-b040-11e8-8870-005056912ff2;
        Tue, 04 Sep 2018 14:46:54 +0200 (CEST)
Date: Tue, 4 Sep 2018 14:46:55 +0200
Subject: Invoice Due
From: "Pilar" <info@cabwebuyhomes.com>
MIME-Version: 1.0

Content-Type: multipart/mixed;
 boundary="--_com.android.email_3033644502435"
Message-ID: <tsosp7oi5ittzf3y3xiqjvs7.1329631939804@cabwebuyhomes.com>

This is a multi-part message in MIME format

 

MALSPAM MESSAGE TEXT:

Hello,

Please advise on the payment status for the following invoice as we found it past due 75 days in our system.

Password: 1234

Please let us know if you have any questions.

Thanks!

Pilar Joe
President
(604)820-8262 ext 247
(604)820-8881 -fax!

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

 

WINDOWS REGSITRY UPDATE FROM THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Screenshot from the email sample with the password-protected Word doc attached.

 


Shown above:  Screenshot of the unlocked Word doc.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Neutrino malware made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.