2015-02-02 - MALSPAM RUN PUSHES CHANITOR - SUBJECT: LOGMEIN PROMO CODE - GET 50% OFF YOUR NEXT PURCHASE
ASSOCIATED FILES:
- ZIP of the pcap: 2015-02-02-malspam-email-infected-VM-traffic.pcap.zip
- ZIP of the associated malware: 2015-02-02-malspam-email-malware.zip
NOTES:
- Based on the Emerging Threats signature hits, the malicious Word document from this email downloaded a version of Chanitor.
- UPDATE: Someone notified me this version of Chanitor is pulling in Vawtrak (although I coudn't get the Chanitor sample to work properly on my infected VM).
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
From: "LogMeIn.com" <no-reply@logmein.com>
Date: Monday, February 2, 2015 at 8:20 AM CST
To:
Subject: LogMeIn Promo Code - Get 50% off your next purchase
Dear client,
In early January 2015, we have launched new versions of LogMeIn Central designed to deliver improved security to our customers.
For security reasons, every account must be updated to one of the new LogMeIn Central interfaces ( Central Basic , Central Plus , Central Premier ).
Coupon codes have been awarded to our clients, in order to encourage early subscription to the new interface.
Your account has been selected for a 50% discount on your next LogMein purchase.
The coupon code ( valid for 3 days ) and instructions on how to use it have been included in the attached document.
For more information regarding the new LogMeIn Central , visit our blog :
http://blog.logmein.com/it-management/year-central
Thank you for choosing LogMeIn
Attachment: logmein_coupon_code.doc (49.7 KB)
TRAFFIC FROM INFECTED VM
ASSOCIATED DOMAINS:
- 146.185.213.35 port 80 - 146.185.213.35 - HTTP GET request by the malicious document for malware
- 194.150.168.70 port 443 - ho7rcj6wucosa5bu.tor2web.org - encrypted traffic, indicating this is ransomware
TRAFFIC SEEN:
- 2015-02-02 16:17:13 UTC - 146.185.213.35 - GET /upd/install.exe
- 2015-02-02 16:18:03 UTC - HTTPS traffic to: api.ipify.org (checks the IP address of the infected host)
- 2015-02-02 16:18:04 UTC - www.download.windowsupdate.com - GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab
- 2015-02-02 16:18:04 UTC - HTTPS traffic to: ho7rcj6wucosa5bu.tor2web.org (common to other ransomware samples).
SNORT EVENTS FROM INFECTED VM
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):
- DNS query for: ho7rcj6wucosa5bu.tor2web.org - ETPRO TROJAN Win32/Chanitor.A .onion Proxy domain lookup (sid:2809214)
- 194.150.168.70 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)
Talos (Sourcefire VRT) ruleset from Snort 2.9.7.0 on Debian 7:
- 146.185.213.35 port 80 - [1:11192:16] FILE-EXECUTABLE download of executable content)
- 146.185.213.35 port 80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected)
- DNS query for: ho7rcj6wucosa5bu.tor2web.org - [1:33216:1] INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org)
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: logmein_coupon_code.doc
File size: 36.8 KB ( 37689 bytes )
MD5 hash: 972751827473ecfdb959c2233a67bdb8
Detection ratio: 2 / 57
First submission: 2015-02-02 15:19:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/df7f7f8662300996ab1956fafdf04ab6b18e9f8a7d84d6e36c23b58bbcf84f0c/analysis/
DROPPED MALWARE (CHANITOR):
File name: winlogin.exe
File size: 123.5 KB ( 126464 bytes )
MD5 hash: 4f27da033ca92c28576be5270b923128
Detection ratio: 1 / 57
First submission: 2015-02-02 16:03:59 UTC
VirusTotal link: https://www.virustotal.com/en/file/4e10f46a37f0168c16a5b09d8e7f3934bcddc4411b34916d8497ec1a7e52a9fc/analysis/
Malwr link: https://malwr.com/analysis/ZDk5MTkwNDZiNzExNDQzOTk1MmZmYTk1YzU2NzFmZWM/
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2015-02-02-malspam-email-infected-VM-traffic.pcap.zip
- ZIP of the associated malware: 2015-02-02-malspam-email-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.