2014-10-31 - PHISHING EMAIL - SUBJECT: YOUR FEDEX REWARDS HAS BEEN SHIPPED
ASSOCIATED FILES:
- ZIP PCAP of VM infection from malware sample: 2014-10-31-phishing-malware-run-in-VM.pcap.zip
- ZIP file - associated malware: 2014-10-31-phishing-malware.zip
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
Subject: Your Fedex Rewards Has Been Shipped
Date: Fri, 31 Oct 2014 09:54:29 UTC
From: Fedex.com <rewards@fedex.com>
Reply-To: rewards@fedex.com
Organization: Fedex.com
To: [redacted]
Dear [redacted]
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.
You can review complete details of your order in the find attached.
Thanks for choosing FedEx.
Order Confirmation Number: 231862343
Order Date: 10/29/2014
Redemption Item Quantity Tracking Number
Paper, Document 16 Z39401093847788
You may receive separate e-mails with tracking information for reward ordered.
My FedEx Rewards may be modified or terminated at any time without notice. Rewards points available for qualifying purchases and certain exclusions apply. For details and a complete listing of eligible products and services please read My FedEx Rewards Terms and Conditions.
2012 FedEx. The content of this message is protected by copyright and trademark laws under U.S. and international law. Review our privacy policy. All rights reserved.
Attachment: Fedex_Rewards_231862343.doc (87.0 KB)
PRELIMINARY MALWARE ANALYSIS
WORD DOCUMENT:
File name: Fedex_Rewards_231862343.doc
File size: 87.0 KB ( 89088 bytes )
MD5 hash: 3f942d96b1791b827ec22f1068f1bcd4
Detection ratio: 1 / 53
First submission: 2014-10-31 14:42:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/195684dfa6ea61fd113aa69d904c7ff613ff27c0763c8d8e593aa44f5a3055e0/analysis/
MALWARE DOWNLOADED BY THE WORD DOCUMENT:
File name: notepad.exe
File size: 130.5 KB ( 133649 bytes )
MD5 hash: dba0905cf58073c6cf4693ba5493eebc
Detection ratio: 4 / 52
First submission: 2014-10-30 21:16:53 UTC
VirusTotal link: https://www.virustotal.com/en/file/8b850bbbc32192eefbf569110010447c11d9beb0e440af9687d11b72d85fb8fd/analysis/
Malwr.com link: https://malwr.com/analysis/ZjRmNzZhNjRhNGM2NDA5Zjg3ZmQzNmZjMTFlMjU5NjU/
INFECTION TRAFFIC
Opening Fedex_Rewards_231862343.doc in a VM:
- 2014-10-31 14:23:30 UTC - 192.168.204.129:49158 - 12.167.187.228:80 - gftnet.gftforex.com - GET /cs/notepad.exe
- 2014-10-31 14:23:47 UTC - 192.168.204.129:49159 - 178.159.4.20:80 - encrypted TCP traffic, possible Netwire RAT
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-10-31 14:23:47 UTC - 192.168.204.129:49159 - 178.159.4.20:80 - ET TROJAN Netwire RAT Check-in (sid:2018427)
- 2014-10-31 14:24:02 UTC - 178.159.4.20:80 - 192.168.204.129:49159 - ET TROJAN Possible Netwire RAT Client HeartBeat C2 (sid:2018283)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:
- 2014-10-31 14:23:30 UTC - 12.167.187.228:80 - 192.168.204.129:49158 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-10-31 14:23:30 UTC - 12.167.187.228:80 - 192.168.204.129:49158 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-10-31 14:23:31 UTC - 12.167.187.228 - 192.168.204.129 - [139:1:1] (spp_sdf) SDF Combination Alert
- 2014-10-31 14:23:47 UTC - 178.159.4.20:80 - 192.168.204.129:49159 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
- 2014-10-31 14:23:47 UTC - 192.168.204.129:49159 - 178.159.4.20:80 - [119:31:1] (http_inspect) UNKNOWN METHOD
SCREENSHOTS
Opening the Word document:
After enabling the macros, the Word document downloads malware:
Possible Netwire RAT traffic, after the VM is infected:
FINAL NOTES
Once again, here are the associated files:
- ZIP PCAP of VM infection from malware sample: 2014-10-31-phishing-malware-run-in-VM.pcap.zip
- ZIP file - associated malware: 2014-10-31-phishing-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.