2014-12-05 - UPATRE/DYRE PHISHING CAMPAIGN - SUBJECT: VIDEO SHOWS NORWEGIAN FIGHTER PILOT'S

ASSOCIATED FILES:

• ZIP - CSV spreadsheet with partial tracking information for these emails:  2014-12-05-phishing-email-partial-message-tracking.csv.zip
• ZIP - PCAP of VM infection from downloading and running the malware:  2014-12-05-phishing-email-traffic.pcap.zip
• ZIP - associated malware:  2014-12-05-phishing-malware.zip
• ZIP - example of the phishing email with headers (sanitized):  2014-12-05-phishing-email-with-headers.txt.zip

 

NOTES:

• On 2014-12-05 from 12:49 to 13:12 UTC, I saw 273 messages using news@cnn.com as a spoofed sender, with the subject line:  Video shows Norwegian fighter pilot's
• These emails contained a fake CNN notification, and the messages all linked to an Upatre downloader.
• The Upatre downloader installed Dyre malware on my test VM.
• These emails came through different IP addresses from across the world.  This was a botnet-based campaign.

• Today's Dyre infection is similar to a previous Upatre/Dyre campaign I documented on 2014-11-13.
• The US-CERT has a good summary here.  (Shout out to the person who brought it to my attention... You know who you are!)

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Date:  Friday, 2014-12-05 at 12:47:49 UTC
Subject:  Video shows Norwegian fighter pilot's
From:  news@cnn.com
To:

CNN.com

Video shows Norwegian fighter pilot's close call with Russian MiG

(CNN) -- It was a routine call for the Norwegian fighter pilot participating in NATO's Quick Reaction Alert mission, high in the sky off Norway's coast.

He was tasked with investigating and identifying an aircraft that had entered the mission's patrol area in international airspace northwest of Norway.

Fluffy clouds dotted the piercing blue atmosphere, and it looked like it would be a non-eventful mission, until something gray darted in front of the Norwegian pilot's F-16 -- a Russian MiG fighter, according to the Norwegian Defence Ministry.
FULL STORY

• comment on CNN stories and blogs
• submit and comment on iReport assignments
• receive breaking news e-mail alerts
• receive e-mail newsletters

Thank you,
CNN

© 2007 Cable News Network LP, LLLP | One CNN Center - Atlanta, GA 30303 | To view our privacy policy, click here.

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  BreakingNews_pdf73.zip
File size:  10.6 KB ( 10814 bytes )
MD5 hash:  7aad4a6a94fe2577f1a8c1ddc8a16aa7
Detection ratio:  4 / 55
First submission:  2014-12-05 12:55:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d312db90c3e7d419849cd5cfc877d69a9f1f7ce105153f52611a65786c95775c/analysis/

 

EXTRACTED MALWARE (UPATRE):

File name:  BreakingNews_pdf.exe
File size:  23.0 KB ( 23552 bytes )
MD5 hash:  860ac28e0373dad2d20b4f93586f5996
Detection ratio:  5 / 55
First submission:  2014-12-05 12:55:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/815ea1fe70c2427f4d862cf47f8c03af0a1db8768f79edec22aaad15be7d0d12/analysis/
Malwr link:  https://malwr.com/analysis/Y2E4YTMyNTNlZDE2NDI3OTk5NDY3ZGRjNWQyNGVmZGQ/

 

DROPPED MALWARE ON THE INFECTED VM (DYRE):

File name:  kJLbteAIPpIpFHl.exe
File size:  496.0 KB ( 507904 bytes )
MD5 hash:  356d8267d90e1b9fcfc57775f4558d6b
Detection ratio:  9 / 55
First submission:  2014-12-05 13:03:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6b3c5d2b2704b9b20fb6458c87f8e1c8ff1f52f969e2bacd9c96edc436398751/analysis/
Malwr link:  https://malwr.com/analysis/ZWZmZmYwYzkwNDdjNDIwNmI2NzgyZGM3MmU3M2ExMzY/

 

INFECTION TRAFFIC

DOWNLOADING THE ZIP FILE:

• 2014-12-05 14:44:58 UTC - 192.168.204.134:49258 - 123.30.128.103:80 - muihoc.com - GET /CNN_online/get_news.php
• 2014-12-05 14:44:58 UTC - 192.168.204.134:49260 - 123.30.128.103:80 - muihoc.com - POST /CNN_online/get_news.php
• 2014-12-05 14:45:00 UTC - 192.168.204.134:49261 - 94.23.50.48:80 - counter1.allfreecounter.com - GET /private/counter.js?c=0aaa5681314464c873d8f4193405fb6b
• 2014-12-05 14:45:09 UTC - 192.168.204.134:49262 - 123.30.128.103:80 - muihoc.com - GET /CNN_online/get_news.php?h=900&w=1593&ua=Mozilla%2F4.0
  %20(compatible%3B%20MSIE%208.0%3B%20Windows%20NT%206.1%3B%20Trident%2F4.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET
  %20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729)&e=1
• 2014-12-05 14:45:09 UTC - 192.168.204.134:49263 - 37.59.130.1:80 - static.dcoengine.com - GET /blank.gif

 

EXECUTING THE EXTRACTED EXE (UPATRE) IN A VM:

• 2014-12-05 14:52:29 UTC - 192.168.204.134:49268 - 177.124.228.4:46521 - 177.124.228.4:46521 - GET /0512uk13/38NTRGDFQKR-PC/0/61-SP1/0/
• 2014-12-05 14:52:30 UTC - 192.168.204.134:49269 - 177.124.228.4:46521 - 177.124.228.4:46521 - GET /0512uk13/38NTRGDFQKR-PC/1/0/0/
• 2014-12-05 14:52:32 UTC - 192.168.204.134:49270 - 205.134.224.148:80 - mrcarabiner.com - GET /images_2/inf13.jpa

 

DYRE TRAFFIC FROM THE INFECTED VM:

• 2014-12-05 14:52:51 UTC - 192.168.204.134:60692 - 66.228.45.110:3478 - UDP STUN traffic to: numb.viagenie.ca
• 2014-12-05 15:06:17 UTC - 192.168.204.134:18856 - 208.91.197.54:3478 - UDP STUN traffic to: s2.taraba.net
• 2014-12-05 15:06:34 UTC - 192.168.204.134:18856 - 77.72.174.163:3478 - UDP STUN traffic to: stun.voipbuster.com
• 2014-12-05 15:06:52 UTC - 192.168.204.134:18856 - 77.72.174.162:3478 - UDP STUN traffic to: stun.voipbuster.com

• 2014-12-05 14:53:06 UTC - 192.168.204.134:49273 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:24 UTC - 192.168.204.134:49274 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:27 UTC - 192.168.204.134:49275 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:27 UTC - 192.168.204.134:49276 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:30 UTC - 192.168.204.134:49277 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:32 UTC - 192.168.204.134:49278 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:35 UTC - 192.168.204.134:49280 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:35 UTC - 192.168.204.134:49281 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:35 UTC - 192.168.204.134:49282 - 85.10.194.10:443 - Dyre SSL traffic
• 2014-12-05 14:53:38 UTC - 192.168.204.134:49283 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:38 UTC - 192.168.204.134:49284 - 85.10.194.10:443 - Dyre SSL traffic
• 2014-12-05 14:53:38 UTC - 192.168.204.134:49285 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:41 UTC - 192.168.204.134:49286 - 85.10.194.10:443 - Dyre SSL traffic
• 2014-12-05 14:53:43 UTC - 192.168.204.134:49287 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:43 UTC - 192.168.204.134:49288 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:53:47 UTC - 192.168.204.134:49289 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 14:57:02 UTC - 192.168.204.134:49294 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 15:00:20 UTC - 192.168.204.134:49295 - 212.56.214.129:443 - Dyre SSL traffic
• 2014-12-05 15:03:38 UTC - 192.168.204.134:49296 - 212.56.214.129:443 - Dyre SSL traffic

• 2014-12-05 14:53:50 UTC - 192.168.204.134:63339 - 192.168.204.2:53 - DNS query for: cowpuncher.drollette.com (resolved to: 162.159.246.97)
• 2014-12-05 14:53:50 UTC - 192.168.204.134:51798 - 192.168.204.2:53 - DNS query for: cowpuncher.drollette.com (resolved to: 162.159.245.97)

• 2014-12-05 14:53:50 UTC - 192.168.204.134:49290 - 162.159.246.97:80 - [SYN]
• 2014-12-05 14:53:51 UTC - 162.159.246.97:80 - 192.168.204.134:49290 - [SYN, ACK]
• 2014-12-05 14:54:06 UTC - 162.159.246.97:80 - 192.168.204.134:49290 - [FIN, PSH, ACK]

• 2014-12-05 14:53:51 UTC - 192.168.204.134:49291 - 162.159.245.97:80 - [SYN]
• 2014-12-05 14:53:51 UTC - 162.159.245.97:80 - 192.168.204.134:49291 - [SYN, ACK]
• 2014-12-05 14:54:06 UTC - 162.159.245.97:80 - 192.168.204.134:49291 - [FIN, PSH, ACK]

• 2014-12-05 15:07:13 UTC - 192.168.204.134:64221 - 192.168.204.2:53 - DNS query for: cowpuncher.drollette.com (resolved to: 162.159.246.97)
• 2014-12-05 15:07:13 UTC - 192.168.204.134:65126 - 192.168.204.2:53 - DNS query for: cowpuncher.drollette.com (resolved to: 162.159.246.97)

• 2014-12-05 15:07:14 UTC - 192.168.204.134:49159 - 162.159.246.97:80 - [SYN]
• 2014-12-05 15:07:14 UTC - 162.159.246.97:80 - 192.168.204.134:49159 - [SYN, ACK]
• 2014-12-05 15:07:29 UTC - 162.159.246.97:80 - 192.168.204.134:49159 - [FIN, PSH, ACK]

• 2014-12-05 15:07:14 UTC - 192.168.204.134:49160 - 162.159.246.97:80 - [SYN]
• 2014-12-05 15:07:14 UTC - 162.159.246.97:80 - 192.168.204.134:49160 - [SYN, ACK]
• 2014-12-05 15:07:29 UTC - 162.159.246.97:80 - 192.168.204.134:49160 - [FIN, PSH, ACK]

• 2014-12-05 14:53:51 UTC - 192.168.204.134:54188 - 192.168.204.2:53 - DNS query for: reseed.i2p-projekt.de (resolved to: 81.7.7.4)
• 2014-12-05 14:53:51 UTC - 192.168.204.134:57600 - 192.168.204.2:53 - DNS query for: reseed.i2p-projekt.de (resolved to: 81.7.7.4)

• 2014-12-05 14:53:51 UTC - 192.168.204.134:49292 - 81.7.7.4:80 - [SYN]
• 2014-12-05 14:53:51 UTC - 192.168.204.134:49293 - 81.7.7.4:80 - [SYN]
• 2014-12-05 14:54:12 UTC - 81.7.7.4:80 - 192.168.204.134:49292 - [RST, ACK]
• 2014-12-05 14:54:12 UTC - 81.7.7.4:80 - 192.168.204.134:49293 - [RST, ACK]

• 2014-12-05 15:07:14 UTC - 192.168.204.134:52448 - 192.168.204.2:53 - DNS query for: reseed.i2p-projekt.de (resolved to: 81.7.7.4)
• 2014-12-05 15:07:14 UTC - 192.168.204.134:64079 - 192.168.204.2:53 - DNS query for: reseed.i2p-projekt.de (resolved to: 81.7.7.4)

• 2014-12-05 15:07:15 UTC - 192.168.204.134:49161 - 81.7.7.4:80 - [SYN]
• 2014-12-05 15:07:15 UTC - 192.168.204.134:49162 - 81.7.7.4:80 - [SYN]
• 2014-12-05 15:07:17 UTC - 81.7.7.4:80 - 192.168.204.134:49161 - [RST, ACK]
• 2014-12-05 15:07:17 UTC - 81.7.7.4:80 - 192.168.204.134:49162 - [RST, ACK]

• NOTE: pcap also has the same type of DNS traffic followed by incomplete TCP connections for www.google.com

• 2014-12-05 15:09:13 UTC - DNS request for: 4nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p (no such name)

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets monitoring the VM infection with Suricata 2.0.4 on Security Onion:

• 2014-12-05 14:44:58 UTC - 192.168.204.134:49260 - 123.30.128.103:80 - ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST (sid:2019321)
• 2014-12-05 14:44:58 UTC - 123.30.128.103:80 - 192.168.204.134:49260 - ET CURRENT_EVENTS suspicious embedded zip file in web page (sid:2019324)
• 2014-12-05 14:45:08 UTC - 192.168.204.134:49262 - 123.30.128.103:80 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014 (sid:2019311)
• 2014-12-05 14:52:30 UTC - 192.168.204.134:49269 - 177.124.228.4:46521 - ET TROJAN Upatre Common URI Struct Dec 01 2014 (sid:2019847)
• 2014-12-05 14:52:32 UTC - 192.168.204.134:49270 - 205.134.224.148:80 - ET TROJAN Common Upatre Header Structure (sid:2018394)
• 2014-12-05 14:52:32 UTC - 192.168.204.134:49270 - 205.134.224.148:80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
• 2014-12-05 14:53:27 UTC - 212.56.214.129:443 - 192.168.204.134:49273 - ET TROJAN Possible Dyre SSL Cert (fake state) (sid:2019833)
• 2014-12-05 14:53:36 UTC - 85.10.194.10:443 - 192.168.204.134:49282 - ET TROJAN Possible Dyre SSL Cert (fake state) (sid:2019833)

 

Sourcefire VRT ruleset using tcpreplay and Snort 2.9.7.0 on Security Onion:

• 192.168.204.2:53 - 192.168.204.134:58400 - PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (sid:254)
• 192.168.204.134:49260 - 123.30.128.103:80 - MALWARE-CNC Win.Trojan.Downloader variant download attempt (sid:32129)
• 123.30.128.103:80 - 192.168.204.134:49262 - INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file (sid:32646)
• 192.168.204.134:49568 - 192.168.204.2:53 - MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (sid:30881)
• 192.168.204.2:53 - 192.168.204.134:49568 - PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected (sid:31738)

 

SCREENSHOTS FROM THE TRAFFIC

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - CSV spreadsheet with partial tracking information for these emails:  2014-12-05-phishing-email-partial-message-tracking.csv.zip
• ZIP - PCAP of VM infection from downloading and running the malware:  2014-12-05-phishing-email-traffic.pcap.zip
• ZIP - associated malware:  2014-12-05-phishing-malware.zip
• ZIP - example of the phishing email with headers (sanitized):  2014-12-05-phishing-email-with-headers.txt.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.