2017-04-04 - CERBER/KOVTER MALSPAM - SUBJECT: OUR UPS COURIER CAN NOT CONTACT YOU

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-04-Cerber-Kovter-malspam-traffic.pcap.zip   1.6 MB (1,583,688 bytes)

• 2017-04-04-Cerber-Kovter-malspam-traffic.pcap   (3,138,096 bytes)

• ZIP archive of the malware:  2017-04-04-Cerber-Kovter-malspam-and-artifacts.zip   552 kB (552,098 bytes)

• 2017-04-03-Cerber-Kovter-malspam-2143-UTC.eml   (2,996 bytes)
• 2017-04-04-Cerber-from-UPS-malspam.exe   (272,041 bytes)
• 2017-04-04-Kovter-from-UPS-malspam.exe   (369,850 bytes)
• UPS-Parcel-ID-9755405.doc.js-recovered.txt   (786 bytes)
• UPS-Parcel-ID-9755405.zip-corrupt   (1,010 bytes)

NOTES:

• The zip attachment was corrupt, so I could only partially recover its contents.  However, that was enough to get the domains and URLs used by the .js file.

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Monday 2017-04-03 at 21:43 UTC
• From:  master@zaomaster.ru
• Subject:  Our UPS courier can not contact you (parcel #9755405)
• Attachment name:  UPS-Parcel-ID-9755405.zip
• Extracted file name:  UPS-Parcel-ID-9755405.doc.js (partially recovered because zip archive is corrupt)

 

Shown above:  Attachment taken from the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

URLS GENERATED BY EXTRACTED .JS FILE:

• 173.201.198.128 port 80 - ccmiti.com - GET /counter/?0000001JvFK[long string of characters]
• 182.50.148.1 port 80 - crescentcorporation.com.pk - GET /counter/?0000001JvFK[long string of characters]
• 50.63.42.1 port 80 - jasonanthonymusic.com - GET /counter/?0000001JvFK[long string of characters]
• 5.101.152.97 port 80 - irbgroup.ru - GET /counter/?0000001JvFK[long string of characters]
• 212.59.186.61 port 80 - w3sa.ch - GET /counter/?0000001JvFK[long string of characters]

CERBER POST-INFECTION HTTP TRAFFIC:

• 193.169.135.166 port 80 - p27dokhpz2n7nvgr.1czh7o.top

CERBER POST-INFECTION UDP TRAFFIC:

• 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892
• 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892
• 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892

KOVTER POST-INFECTION HTTP TRAFFIC:

• 52.39.151.29 port 80 - 52.39.151.29 - POST /
• 104.20.41.180 port 80 - 104.20.41.180 - POST /
• 115.159.103.77 port 80 - 115.159.103.77 - POST /
• 186.182.161.79 port 80 - 186.182.161.79 - POST /
• 207.154.223.2 port 80 - 207.154.223.2 - POST /
• 220.181.167.5 port 80 - game.funshion.com - Chinese site, probably legit, possibly used for network connectivity check?

KOVTER POST-INFECTION HTTPS/SSL/TLS TRAFFIC:

• 52.39.151.29 port 443 - simulator.iteros.net - HTTPS/SSL/TLS traffic
• 90.80.81.217 port 443 - HTTPS/SSL/TLS traffic
• various IP addresses over TCP ports 443 and 8080 - Attempted connections and Kovter post-infection traffic (see images section below for more details)

 

FILE HASHES

CORRUPT ZIP ATTACHMENT FROM THE EMAIL:

• SHA256 hash:  9bc58dd3bd7bae7148a80f0e047cd9d290a3d1e4bfca5203baeaa7a3db628e86
  File name:  UPS-Parcel-ID-9755405.zip

CERBER AND KOVTER BINARIES:

• SHA256 hash:  de5b8612bc01bf22d724c72462785746a595aae168c6a87378bdacd4d8b53a4c
  File description:  Cerber executable downloaded by .js file from malspam

• SHA256 hash:  6b2282ab8d5c0de940a9ea029a844a33a28c0fa870469aa8cebcc810f5508d25
  File description:  Kovter executable downloaded by .js file from the malspam

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 

Shown above:  Getting a better idea of the Kovter post-infection traffic through filtering in Wireshark.

 

Shown above:  Getting a better idea of the Kovter post-infection traffic through escalating the events in Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-04-Cerber-Kovter-malspam-traffic.pcap.zip   1.6 MB (1,583,688 bytes)
• ZIP archive of the malware:  2017-04-04-Cerber-Kovter-malspam-and-artifacts.zip   552 kB (552,098 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.