2017-04-05 - MALSPAM - SUBJECT: PROBLEM WITH YOUR ORDER
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-05-malspam-traffic.pcap.zip 3.1 MB (3,117,035 bytes)
- 2017-04-05-malspam-traffic.pcap (3,325,479 bytes)
- ZIP archive of the malware: 2017-04-05-malspam-and-artifacts.zip 3.2 MB (3,221,581 bytes)
- 2017-04-04-malspam-0617-UTC.eml (9,00 bytes)
- issue2014.js (23,316 bytes)
- 31195.exe (3,229,020 bytes)
INTRODUCTION
As a volunteer Handler for the Internet Storm Center (ISC), I receive emails sent to the ISC Handlers email distro. On Tuesday 2017-04-04, we received the following notification:
From: [redacted]
Sent: Tuesday, 2017-04-04 15:04 UTC
Subject: phish link to obfuscated Java script
Hi
The attached email links to [hxxp://]4safedrivers.link/orders/issue2014.php which drops an obfuscated java script. The URL 4safedrivers.link has anonymous whois out of Australia, but 4safedrivers.com appears to be a legit company. I haven't had time to deobfuscate it.
Thanks
John
[signature block, redacted]
The malware is TeamViewer packaged as spyware and a remote access tool (RAT). Associated files had already been submitted to VirusTotal before I looked at it, so John wasn't the only one who received an email like this.
This blog post is dedicated to John and others who notify the ISC about malicious spam (malspam) and other suspicious network activity. If you run across anything interesting, let us know through our contact form. We may not always have time to investigate every notification, but they're always appreciated.
Shown above: Screen shot of the malspam John provided us.
EMAIL HEADERS:
- Date/Time: Tuesday 2017-04-04 at 06:17 UTC
- From: (possibly spoofed) "Edward Anderson" <post@glen.com>
- Subject: problem with your order
Shown above: .js file returned from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 85.93.31.158 port 80 - 4safedrivers.link - GET /orders/issue2014.php
- 85.93.31.158 port 80 - www.fightshop4u-gift.nl - GET /SFX2.exe
- 193.111.63.116 port 80 - 193.111.63.116 - GET /stats/update.php?id=[9-digit number]&stat=[string of alphanumeric characters]
- 37.252.230.28 port 5938 - ping3.teamviewer.com [TeamViewer traffic - not inherently malicious]
- 178.77.129.102 port 5938 - master13.teamveiwer.com [TeamViewer traffic - not inherently malicious]
- 169.55.36.104 port 5938 - server18106.teamviewer.com [TeamViewer traffic - not inherently malicious]
FILE HASHES
.JS FILE FROM LINK IN THE MALSPAM:
- SHA256 hash: 346294859086cb4d0e1fce0ae50cb5cfa64647cca5a4a882b38b9d9444c5ab92
File name: issue2014.js
File size: 23,316 bytes
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: 28d47f653cda2699e54ed54809af2587dd1de04df5cec184c0c5f9dc15bf26d7
File location: C:\Users\[username]\AppData\Local\Temp\[5 random digits].exe
File size: 3,229,020 bytes
File description: TeamViewer packaged as spyware/remote access tool (RAT)
Shown above: The TeamViewer-based spyware/RAT downloaded by the .js file.
IMAGES
Shown above: TeamViewer files in a hidden directory on my infected lab host.
FINAL WORDS
This TeamViewer-based malware package is nothing new. For example, Kaspersky published a report in 2013 on how TeamViewer was abused for Cyber Espionage (link). These TeamView-based malware packages previously earned the nickname "TeamSpy."
I don't think this particular malspam is associated with actual cyber espionage (though I could be wrong about that). The non-TeamViewer callback IP address 193.111.63.116 belongs to a Ukrainian hosting provider. To me, this example feels more like commodity malware used in crimware campaigns.
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-05-malspam-traffic.pcap.zip 3.1 MB (3,117,035 bytes)
- ZIP archive of the malware: 2017-04-05-malspam-and-artifacts.zip 3.2 MB (3,221,581 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.