2014-10-07 - PHISHING CAMPAIGN - SUBJECT: YOU HAVE VOICE MESSAGE
ASSOCIATED FILES:
- ZIP of CSV list for emails with Subject: You have a voice message: 2014-10-07-email-tracking-since-2014-10-01.csv.zip
- ZIP of PCAP from downloading the malware & running it on a VM: 2014-10-07-running-the-malware-in-a-VM.pcap.zip
- ZIP of the malware: 2014-10-07-phishing-malware.zip
NOTES:
- This one has characteristics of an Asprox botnet email:
- The URL for downloading the zip file has the same pattern I've noticed in other Asrpox botnet emails (see below).
- The same URL gave different file names when I downloaded it by proxying through different IP addresses:
- Those different file names have different file hashes for what's really the same malware:
- Post-infection traffic from the infected VM is similiar to some of the traffic I've seen before with Asprox.
- A good description of recent Asprox activity can be found at: http://stopmalvertising.com/malware-reports/asprox-update-version-2050.html
- I've included a spreadsheet listing the dates, times, and senders on 494 emails with the same subject line. This particular phishing wave started on Thursday, 2014-10-02.
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
From: LINE <stamps@kingsign.com>
Sent: Monday, October 06, 2014 4:23 PM
To:
Subject: You have a voice message
LINE LINE: Free Calls & Messages
You have a voice message, listen it now
LINE NOTIFICATION Time: 21:12:45 01 Oct 2014, Duration: 45sec
Coypright (c) 2014 All rights reserved
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: LINE_Call.zip
File size: 80.4 KB ( 82323 bytes )
MD5 hash: 92d86a4847988aad3eaef5d609308c97
Detection ratio: 5 / 55
First submission: 2014-10-07 23:18:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/7929c2c9b585ef354bcd5e89a8ddc0fda68254b6bcfb6b6e5f08d4233e023a63/analysis/
EXTRACTED MALWARE:
File name: LINE_Call.exe
File size: 128.0 KB ( 131072 bytes )
MD5 hash: 68edcf990db2e27af7d0f42abf8740ba
Detection ratio: 5 / 54
First submission: 2014-10-07 23:18:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/e4ac9107b13fed461776035c4e7abf99b95f6d6eec4ce813804118168e96dc70/analysis/
Malwr link: https://malwr.com/analysis/ZGU2NGM4YzMwMDA3NGI2NjhjNzJhZjZmMWI0YmM4ODU/
INFECTION TRAFFIC
DOWNLOADING AND EXECUTING THE MALWARE ON A VM:
- 2014-10-07 22:21:47 UTC - 172.16.165.151:49160 - 5.101.153.13:80 - ufahostel.net - GET /cache.php?line=N0y0+6A5BRlOjajVITibzg
- 2014-10-07 22:31:27 UTC - 172.16.165.151:49162 - 96.30.22.96:8080 - 96.30.22.96:8080 - POST /index.php
SNORT EVENTS FROM VM INFECTION
Emerging Threats events from Sguil on Security Onion:
- 2014-10-07 22:21:54 UTC - 5.101.153.13:80 - 172.16.165.151:49160 - ET POLICY ZIPPED EXE in transit (sid:2001404)
- 2014-10-07 22:31:27 UTC - 172.16.165.151:49162 - 96.30.22.96:8080 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
- 2014-10-07 22:31:27 UTC - 172.16.165.151:49162 - 96.30.22.96:8080 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (sid:2018359)
SCREENSHOTS FROM THE TRAFFIC
When you try the link, and it doesn't like your source IP address, you get the following message:
I got this one by proxying through a Canadian IP address:
Kuluoz/Asprox-style callback traffic from the infected VM:
FINAL NOTES
Once again, here are the associated files:
- ZIP of CSV list for emails with Subject: You have a voice message: 2014-10-07-email-tracking-since-2014-10-01.csv.zip
- ZIP of PCAP from downloading the malware & running it on a VM: 2014-10-07-running-the-malware-in-a-VM.pcap.zip
- ZIP of the malware: 2014-10-07-phishing-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.