2015-01-13 - DYRE PHISHING RUN - SUBJECT: YOUR TAX RETURN WAS INCORRECTLY FILLED OUT

ASSOCIATED FILES:

• ZIP - PCAP from an infected VM:  2015-01-13-Dyre-phishing-run-traffic.pcap.zip
• ZIP - associated malware:  2015-01-13-malware-from-Dyre-phishing-run.zip
• ZIP - PCAP from malwr.com analysis of the Upatre downloader:  2015-01-13-malwr.com-analysis-of-the-upatre-downloader.pcap.zip

 

RELATED REPORTING:

• http://blog.dynamoo.com/2015/01/malware-spam-johnsmithmail-irsgov-your.html
• http://community.spiceworks.com/topic/735717-your-tax-return-was-incorrectly-filled-out

 

NOTES:

• The traffic uses jjencoding (link for details) before getting the malware zip file.
• The downloaded zip file from the link contains Upatre, and the Upatre downloader infects the host with Dyre.
• Previous Dyre campaigns I've documented:

• 2014-09-26 - Phishing campaign - Subject: Transaction not complete
• 2014-10-03 - Phishing campaign - incoming fax reports - fake HMRC tax notification
• 2014-10-04 - Rig EK and Upatre from phishing emails
• 2014-11-13 - Phishing campaign - Subject: You have received a new secure message from BankLine
• 2014-12-05 - Upatre/Dyre phishing campaign - Subject: Video shows Norwegian fighter pilot's

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: John Smith <john.smith@mail-irs.gov>
Sent: 13 January 2015 [various times]
To:
Subject: Your tax return was incorrectly filled out

Attention: Owner/ Manager
We would like to inform you that you have made mistakes while completing the last tax form application (ID: [12 digit number]) .
Please follow the advice of our tax specialists HERE
Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
Yours sincerely

 

SOME LINKS FROM THE VARIOUS EMAILS:

jamjase.com - GET /taxadmin/get_doc.html
lnails.com - GET /taxadmin/get_doc.html
lsrj.in - GET /taxadmin/get_doc.html
monarchslo.com - GET /taxadmin/get_doc.html
omrdatacapture.com - GET /taxadmin/get_doc.html
prefeituraportoestrela.com - GET /taxadmin/get_doc.html
rfurniture.com - GET /taxadmin/get_doc.html
savoretti-ds.it - GET /taxadmin/get_doc.html
semiyun.com - GET /taxadmin/get_doc.html
serressabrevois.ca - GET /taxadmin/get_doc.html
solarbearrecords.com - GET /taxadmin/get_doc.html

 

INFECTION TRAFFIC

WHAT YOU'LL SEE IF THE EMAIL LINK IS SUCCESSFUL:

 

TRAFFIC FROM THE INFECTED VM:

• 2015-01-13 15:23:40 UTC - 81.169.145.158 port 80 - lnails.com - GET /taxadmin/get_doc.html
• 2015-01-13 15:23:41 UTC - 74.118.68.160 port 80 - room.rd-webhosting.com - GET /js/jquery-1.14.94.js
• 2015-01-13 15:23:41 UTC - 217.78.1.156 port 80 - kerrydrivinglessons.com - GET /js/jquery-1.14.94.js
• 2015-01-13 15:23:42 UTC - 74.118.68.160 port 80 - room.rd-webhosting.com - GET /js/jquery-1.14.94.js?vnvKwhZI2QkRoQA=[user agent of web browser]
• 2015-01-13 15:23:43 UTC - 74.118.68.160 port 80 - room.rd-webhosting.com GET /js/jquery-1.14.94.js?get_message=889671283
• 2015-01-13 15:26:57 UTC - 202.153.35.133 port 19621 - 202.153.35.133:19621 GET /1301us23/WIN-C2KE6N4W3N1/0/61-SP1/0/
• 2015-01-13 15:26:58 UTC - 202.153.35.133 port 19621 - 202.153.35.133:19621 GET /1301us23/WIN-C2KE6N4W3N1/1/0/0/
• 2015-01-13 15:27:00 UTC - 141.8.195.84 port 80 - dstkom.com GET /mandoc/lit23.pdf
• 2015-01-13 15:27:19 UTC - 202.153.35.133 port 19623 - 202.153.35.133:19623 GET /1301us23/WIN-C2KE6N4W3N1/41/7/4/
• 2015-01-13 15:28:31 UTC - 95.211.156.95 port 443 - SSL/HTTPS traffic [several TCP sessions]
• 2015-01-13 15:28:46 UTC - 195.154.241.47 port 443 - SSL/HTTPS traffic [several TCP sessions]
• 2015-01-13 15:27:48 UTC - 77.72.174.163 port 3478 - UDP STUN traffic to: stun.voipbuster.com

• Malwr.com's analysis of the Upatre downloader shows an additional HTTP request for: 216.251.43.17 - heritageonlineauctions.com - GET /mandoc/lit23.pdf

 

SNORT EVENTS FROM INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 74.118.68.160 port 80 - ET CURRENT_EVENTS Upatre IE Redirector Receiving Payload Jan 9 2015 (sid:2020160)
• 202.153.35.133 port 19621 - ET TROJAN Upatre Common URI Struct Dec 01 2014 (sid:2019847)
• 202.153.35.133 port 19621 - ETPRO TROJAN Common Downloader Header Pattern UHCa (sid:2803270)
• 141.8.195.84 port 80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
• 95.211.156.95 port 443 ET TROJAN Possible Dyre SSL Cert (fake state) (sid:2019833)
• 195.154.241.47 port 443 - ET TROJAN Possible Dyre SSL Cert (fake state) (sid:2019833)

Talos (VRT) ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor events):

• 74.118.68.160 port 80 - [1:27875:3] EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit
• 217.78.1.156 port 80 - [1:27875:3] EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit
• 74.118.68.160 port 80 - [1:32646:1] INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  message.zip

 

EXTRACTED MALWARE (UPATRE):

File name:  tax_guide_pdf.exe
File size:  140.8 KB ( 144200 bytes )
MD5 hash:  d5b1370d307b788bc0bd23e744269eca
Detection ratio:  4 / 57
First submission:  2015-01-13 21:27:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7e8cec257294080d9562fa671dffdbbcdb2ec6492421ece90ca7bb21cb9719f7/analysis/
Malwr link:  https://malwr.com/analysis/OWM0YjY3NTRlYmU5NDczNWI4OWVhYjUzN2JmZTE4YzI/

 

DROPPED MALWARE FOUND ON THE INFECTED VM (DYRE):

File name:  C:\Windows\tjAOlTTnXUTOMbL.exe
File size:  390.5 KB ( 399872 bytes )
MD5 hash:  7e7d8325dec4cc8c3244dd1c2d3c653a
Detection ratio:  10 / 57
First submission:  2015-01-13 15:00:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9cb95959bec83625a6cd9e2dd7d2261bc5715efb28124e600d9db357ea3912dc/analysis/
Malwr link:  https://malwr.com/analysis/ZDcxNmRjZDEyNjcyNDdkNDk0YTQyOTkwYWYyMGE0MjU/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - PCAP from an infected VM:  2015-01-13-Dyre-phishing-run-traffic.pcap.zip
• ZIP - associated malware:  2015-01-13-malware-from-Dyre-phishing-run.zip
• ZIP - PCAP from malwr.com analysis of the Upatre downloader:  2015-01-13-malwr.com-analysis-of-the-upatre-downloader.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.