Malware-Traffic-Analysis.net - 2014-09-22 - Phishing email

2014-09-22 - PHISHING EMAIL - SUBJECT: NATWEST STATEMENT

ASSOCIATED FILES:

ZIP file - CSV spreadsheet tracking the emails seen on 2014-09-22: 2014-09-22-phishing-email-tracking.csv.zip
ZIP file - PCAP of downloading malware from link in the email: 2014-09-22-phishing-malware-download.pcap.zip
ZIP file - PCAP of VM infection from malware sample: 2014-09-22-phishing-malware-run-in-a-VM.pcap.zip
ZIP file - associated malware: 2014-09-22-phishing-malware.zip

NOTES:

This is a continuation of the same campaign I noticed last week ( link ).
The messages are slightly different, but the email and malware traffic patterns are consistent with this particular group.

EXAMPLE OF THE EMAILS

SCREENSHOT:

MESSAGE TEXT:

Subject: NatWest Statement

NatWest Statement
View Your September 2014 Online Financial Activity Statement

Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF
View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.
Sincerely,

NatWest Bank

Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639

NatWest Bank Customer Service Department
P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

LINK FROM THE EMAIL:

burracosoftware.it/bftkkyqnah/zdjplnssnq.html

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name: document22092014_73327_pdf.zip
File size: 8.0 KB ( 8204 bytes )
MD5 hash: 6c8ed273b90d72126b3d80b035465b93
Detection ratio: 20 / 53
First submission: 2014-09-22 12:06:22 UTC
VirusTotal link: https://www.virustotal.com/en/file/546d560fafbd2d346557c0bd0cdc669a8d617b068e43a154517f96597146b9a9/analysis/

EXTRACTED MALWARE:

File name: document22092014_73327_pdf.exe
File size: 20.5 KB ( 20992 bytes )
MD5 hash: 2fc0fde0b9505a318e0256ec87290df0
Detection ratio: 19 / 52
First submission: 2014-09-22 11:01:31 UTC
VirusTotal link: https://www.virustotal.com/en/file/8040c1cee63db55b348dea8f07ad42d1c78f9ed2c4ff90a9f9accffa7aba186f/analysis/

DROPPED MALWARE:

File name: rrgyb.exe
File size: 404.0 KB ( 413696 bytes )
MD5 hash: d22242741cf4ae2ef2a5fde73eb0fbd7
Detection ratio: 11 / 54
First submission: 2014-09-22 14:27:34 UTC
VirusTotal link: https://www.virustotal.com/en/file/4be29ac27d7eca53ae5f727eedc80cd695d0967bd8535b96b6599121ab1bbbb2/analysis/

INFECTION TRAFFIC

MALWARE DOWNLOADED FROM LINK IN EMAIL:

2014-09-22 13:39:24 UTC - 192.168.204.150:19193 62.149.128.151:80 - burracosoftware.it - GET /bftkkyqnah/zdjplnssnq.html
2014-09-22 13:39:25 UTC - 192.168.204.150:36678 62.149.132.147:80 - www.burracosoftware.it - GET /bftkkyqnah/zdjplnssnq.html
2014-09-22 13:39:26 UTC - 192.168.204.150:36678 62.149.132.147:80 - www.burracosoftware.it - GET /favicon.ico
2014-09-22 13:39:26 UTC - 192.168.204.150:50080 62.149.132.147:80 - www.burracosoftware.it - GET /bftkkyqnah/document22092014_73327_pdf.zip

INFECTED VM: UPATRE CALL FOR MORE MALWARE:

2014-09-23 01:42:02 UTC - 192.168.204.150:49162 - 72.52.202.8:80 - therobinsonfamily.com - GET /files/2209uk3.doc

INFECTED VM: ATTEMPTED TCP TRAFFIC:

2014-09-23 01:40:37 UTC - 192.168.204.150:49158 - 188.165.198.52:15990 - attempted TCP connection, RST by the server
2014-09-23 01:40:58 UTC - 192.168.204.150:49159 - 188.165.198.52:15990 - attempted TCP connection, RST by the server
2014-09-23 01:41:19 UTC - 192.168.204.150:49160 - 188.165.198.52:15990 - attempted TCP connection, RST by the server
2014-09-23 01:41:40 UTC - 192.168.204.150:49161 - 188.165.198.52:15990 - attempted TCP connection, RST by the server
2014-09-23 01:42:07 UTC - 192.168.204.150:49163 - 188.165.198.52:15990 - attempted TCP connection, RST by the server
2014-09-23 01:42:28 UTC - 192.168.204.150:49165 - 188.165.198.52:15990 - attempted TCP connection, RST by the server

INFECTED VM: STUN TRAFFIC TO VOIP (AND POSSIBLY OTHER) SERVERS:

2014-09-23 01:42:19 UTC - 192.168.204.150:48485 - 203.183.172.196:3478 - UDP traffic to s2.taraba.net
2014-09-23 01:42:36 UTC - 192.168.204.150:48485 - 132.177.123.6:3478 - UDP traffic to stunserver.org
2014-09-23 01:42:54 UTC - 192.168.204.150:48485 - 66.51.128.43:3478 - UDP traffic to stun.voip.aebc.com
2014-09-23 01:43:28 UTC - 192.168.204.150:48485 - 173.194.66.127:19302 - UDP traffic to stun.l.google.com
2014-09-23 01:43:45 UTC - 192.168.204.150:48485 - 77.72.174.164:3478 - UDP traffic to stun.voipstunt.com
2014-09-23 01:44:18 UTC - 192.168.204.150:48485 - 77.72.174.165:3478 - UDP traffic to stun.ekiga.net
2014-09-23 01:44:36 UTC - 192.168.204.150:48485 - 217.10.68.152:3478 - UDP traffic to stun.faktortel.com.au
2014-09-23 01:44:52 UTC - 192.168.204.150:48485 - 62.71.2.168:3478 - UDP traffic to stun.rixtelecom.se
2014-09-23 01:45:10 UTC - 192.168.204.150:48485 - 107.23.150.92:3478 - UDP traffic to stun.stunprotocol.org
2014-09-23 01:45:26 UTC - 192.168.204.150:48485 - 217.10.68.152:3478 - UDP traffic to stun.sipgate.net
2014-09-23 01:45:45 UTC - 192.168.204.150:48485 - 173.194.71.127:19302 - UDP traffic to stun1.l.google.com
2014-09-23 01:46:02 UTC - 192.168.204.150:48485 - 91.200.16.56:3478 - UDP traffic to stun.noc.ams-ix.net
2014-09-23 01:46:19 UTC - 192.168.204.150:48485 - 208.97.25.20:3478 - UDP traffic to stun.ideasip.com
2014-09-23 01:46:35 UTC - 192.168.204.150:48485 - 74.125.23.127:19302 - UDP traffic to stun3.l.google.com
2014-09-23 01:46:52 UTC - 192.168.204.150:48485 - 64.24.35.201:3478 - UDP traffic to stun1.voiceeclipse.net
2014-09-23 01:47:10 UTC - 192.168.204.150:48485 - 77.72.174.167:3478 - UDP traffic to stun.voxgratia.org
2014-09-23 01:47:40 UTC - 192.168.204.150:48485 - 212.79.111.155:3478 - UDP traffic to stun.iptel.org
2014-09-23 01:47:57 UTC - 192.168.204.150:48485 - 173.194.72.127:19302 - UDP traffic to stun4.l.google.com
2014-09-23 01:48:14 UTC - 192.168.204.150:48485 - 193.28.184.4:3478 - UDP traffic to stun.ipshka.com
2014-09-23 01:48:33 UTC - 192.168.204.150:48485 - 77.72.169.157:3478 - UDP traffic to stun.internetcalls.com
2014-09-23 01:48:50 UTC - 192.168.204.150:48485 - 77.72.169.156:3478 - UDP traffic to stun.voiparound.com
2014-09-23 01:49:08 UTC - 192.168.204.150:48485 - 66.228.45.110:3478 - UDP traffic to numb.viagenie.ca
2014-09-23 01:49:25 UTC - 192.168.204.150:48485 - 208.64.8.6:3478 - UDP traffic to stun.phonepower.com
2014-09-23 01:49:42 UTC - 192.168.204.150:48485 - 212.227.67.195:3478 - UDP traffic to stun.schlund.de
2014-09-23 01:49:59 UTC - 192.168.204.150:48485 - 198.27.81.168:3478 - UDP traffic to stun.callwithus.com

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

2014-09-22 13:39:26 UTC - 62.149.132.147:80 - 192.148.204.150:50080 - ET TROJAN Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014 (sid:2018182)
2014-09-23 01:42:02 UTC - 192.168.204.150:49162 - 72.52.202.8:80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
2014-09-23 01:42:02 UTC - 192.168.204.150:49162 - 72.52.202.8:80 - ET TROJAN Common Upatre Header Structure (sid:2018394)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

2014-09-23 01:42:04 UTC - 72.52.202.8 - 192.168.204.150 - [139:1:1] (spp_sdf) SDF Combination Alert

SCREENSHOTS OF THE TRAFFIC

Phishing malware (upatre) calling for more malware:

Some of the STUN traffic from the infected VM (http://en.wikipedia.org/wiki/STUN):

FINAL NOTES

Once again, here are the associated files:

ZIP file - CSV spreadsheet tracking the emails seen on 2014-09-22: 2014-09-22-phishing-email-tracking.csv.zip
ZIP file - PCAP of downloading malware from link in the email: 2014-09-22-phishing-malware-download.pcap.zip
ZIP file - PCAP of VM infection from malware sample: 2014-09-22-phishing-malware-run-in-a-VM.pcap.zip
ZIP file - associated malware: 2014-09-22-phishing-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.