2014-10-03 - PHISHING CAMPAIGN - INCOMING FAX REPORTS - FAKE HMRC TAX NOTIFICATION

ASSOCIATED FILES:

• ZIP of CSV for the email tracking:  2014-10-03-phishing-campaign-email-tracking.csv.zip
• ZIP of PCAP from the malware analysis from malwr.com:  2014-10-03-phishing-malware-analysis-from-malwr.com.pcap.zip
• ZIP of the associated malware:  2014-10-03-phishing-malware.zip

 

NOTES:

• The group behind these phishing emails uses attachments or links to the malware in their messages.
• Today's malware attachments are the same file hash for both the fake fax reports and the fake HMRC tax notification.
• This particular style of phish has been going on for years...  For example, do a Google search on  Subject: INCOMING FAX REPORT : Remote ID:

 

WAVES OF PHISHING EMAILS I'VE DOCUMENTED BY (WHAT I THINK IS) THE SAME ACTOR:

• 2014-09-18 - Phishing campaign - NatWest and fake fax messages
• 2014-09-22 - Phishing email - Subject: NatWest Statement
• 2014-10-03 - Phishing campaign - Incoming fax reports - fake HMRC tax notices

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT - EXAMPLE 1:

 

SCREENSHOT - EXAMPLE 2:

 

MESSAGE TEXT - EXAMPLE 1:

From: Incoming Fax <no-reply@docs-xd.com>
Date: Friday, October 3, 2014 at 16:56 UTC
To:
Subject: INCOMING FAX REPORT : Remote ID: 3560-28116-15053


*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Fri, 03 Oct 2014 18:56:41 +0200
Speed: 43560
Connection time: 12.56
Pages: 3
Resolution: Normal
Remote ID: 3560-28116-15053
Line number: 3
DTMF/DID:
Description: Internal Docs

Fax message attached in PDF format (Adobe Reader).

*********************************************************

Attachment: doc_03102014-.zip (12.2 KB)

 

MESSAGE TEXT - EXAMPLE 2:

From: "hmrc.gov.uk" <noreply@docs-xll.com>
Date: Friday, October 3, 2014 at 09:56 UTC
To: <undisclosed-recipients:;>
Subject: You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

Attachment: doc_0315634-2871_pdf.zip (12.2 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  doc_03102014-.zip
File size:  9.0 KB ( 9255 bytes )
MD5 hash:  f777ff3fdbda090df534cdb5c4bd7b89
Detection ratio:  13 / 54
First submission:  2014-10-03 10:23:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4c4dc72b5e51bab8ebe153af6817b2b6d390ab332b7ffc3d079cf0080f3b9b56/analysis/

 

EXTRACTED MALWARE:

File name:  doc_03102014-2871_pdf.exe
File size:  23.0 KB ( 23552 bytes )
MD5 hash:  ef880cf944302b0880215509ad340ab0
Detection ratio:  13 / 54
First submission:  2014-10-03 10:23:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/
Malwr link:  https://malwr.com/analysis/NTcyZTJlYzUwMTMxNGI5NWE2ZTZlNzFjMzNmN2MwZjA/

 

DROPPED MALWARE:

File name:  jyrhg.exe
File size:  351.5 KB ( 359936 bytes )
MD5 hash:  2a1a5084908d808963413ae58c19b914
Detection ratio:  13 / 54
First submission:  2014-10-03 20:28:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ed07040f5bc08fecdf28db4a2c365840b7867ab705f73d08d4d64bc035caced9/analysis/
Malwr link:  https://malwr.com/analysis/NGY4YWIyOTlhZmEwNDQzOWIzODg1MzRhNjNlZWMxMWE/
Malwr.com pcap from the above analysis:  2014-10-03-malwr-analysis-jyrhg.exe.pcap.zip.

 

INFECTION TRAFFIC

FROM MALWR.COM ANALYSIS OF THE MALWARE:

• 2014-10-03 19:06:11 UTC - 192.168.56.101:1039 - 94.75.233.13:39700 - 94.75.233.13:39700 - GET /0310uk4/HOME/0/51-SP3/0/
• 2014-10-03 19:06:11 UTC - 192.168.56.101:1040 - 94.75.233.13:39700 - 94.75.233.13:39700 - GET /0310uk4/HOME/1/0/0/
• 2014-10-03 19:06:12 UTC - 192.168.56.101:1041 - 203.83.247.170:80 - nkusedcars.com - GET /gallery/0310uk4.pdf
• 2014-10-03 19:06:14 UTC - 192.168.56.101:1042 - 94.75.233.13:39700 - 94.75.233.13:39700 - GET /0310uk4/HOME/41/5/4/
• 2014-10-03 19:06:19 UTC - 192.168.56.101:6115 - 74.125.196.127:19302 - STUN (Simple Traversal of UDP through NAT) traffic to stun1.l.google.com
• 2014-10-03 19:06:19 UTC - 192.168.56.101:1049 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:20 UTC - 192.168.56.101:1050 - 173.223.52.201:80 - www.download.windowsupdate.com - GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt
• 2014-10-03 19:06:20 UTC - 192.168.56.101:1050 - 173.223.52.201:80 - www.download.windowsupdate.com - GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab
• 2014-10-03 19:06:22 UTC - 192.168.56.101:1051 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:24 UTC - 192.168.56.101:1052 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:24 UTC - 192.168.56.101:1053 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:26 UTC - 192.168.56.101:1054 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:26 UTC - 192.168.56.101:1055 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:29 UTC - 192.168.56.101:1056 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:29 UTC - 192.168.56.101:1057 - 37.59.46.50:4443 - encrypted traffic
• 2014-10-03 19:06:34 UTC - 192.168.56.101:1058 - 37.59.46.50:4443 - encrypted traffic

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-10-03 19:06:12 UTC - 192.168.56.101:1041 - 203.83.247.170:80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
• 2014-10-03 19:06:12 UTC - 192.168.56.101:1041 - 203.83.247.170:80 - ET TROJAN Common Upatre Header Structure (sid:2018394)
• 2014-10-03 19:06:12 UTC - 192.168.56.101:1041 - 203.83.247.170:80 - ET MALWARE Suspicious User-Agent (update) (sid:2003583)
• 2014-10-03 19:06:19 UTC - 37.59.46.50:4443 - 92.168.56.101:1049 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014 (sid:2019320)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-10-03 19:06:12 UTC - 203.83.247.170 - 192.168.56.101 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 2014-10-03 19:06:19 UTC - 37.59.46.50:4443 - 192.168.56.101 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE (x9)
• 2014-10-03 19:06:19 UTC - 192.168.56.101 - 37.59.46.50:4443 - [119:14:1] (http_inspect) NON-RFC DEFINED CHAR (x2)
• 2014-10-03 19:06:22 UTC - 192.168.56.101 - 37.59.46.50:4443 - [119:31:1] (http_inspect) UNKNOWN METHOD (x7)

 

SCREENSHOTS FROM THE TRAFFIC

Post-infection checkin:

 

Upatre call for more malware:

 

Encrypted TCP traffic on port 4443:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of CSV for the email tracking:  2014-10-03-phishing-campaign-email-tracking.csv.zip
• ZIP of PCAP from the malware analysis from malwr.com:  2014-10-03-phishing-malware-analysis-from-malwr.com.pcap.zip
• ZIP of the associated malware:  2014-10-03-phishing-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.