2017-04-21 - USPS-THEMED MALSPAM CHANGES TO PARKING SERVICE MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-04-21-parking-service-malspam-pcaps.zip   1.7 MB (1,672,977 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-21-parking-service-malspam-tracker.csv.zip   0.9 kB (899 bytes)
• ZIP archive of the emails and artifacts/malware:  2017-04-21-parking-service-malspam-and-artifacts.zip   1.3 MB (1,272,122 bytes)

BACKGROUND ON THIS CAMPAIGN:

• 2017-04-11 - Internet Storm Center (ISC) InfoSec Forums: Malspam on 2017-04-11 pushes yet another ransomware variant
• 2017-04-12 - BleepingComputer: Mole Ransomware Distributed Through Fake online Word Docs
• 2017-04-12 - My Online Security - More USPS delivery messages delivering mole ransomware
• 2017-04-13 - My Online Security - Changes to fake USPS delivery messages delivering malware
• 2017-04-14 - Various tweets about this campaign on Twitter as it continued through Friday.
• 2017-04-15 through 2017-04-17 - Didn't notice any emails from this campaign on Saturday, Sunday, or Monday.
• 2017-04-18 - Malware-traffic-analysis.net - USPS-themed malspam resumes after weekend break
• 2017-04-19 - Malware-traffic-analysis.net - USPS-themed malspam continues pushing Panda Banker, Kovter, and Miuref

NOTES FOR TODAY:

• On 2017-04-21, the USPS-themed malspam campaign I've been reporting about changed to Parking Service-themed malspam
• Today, it was pushing Zeus Panda Banker (KINS), Kovter, and Smoke Loader

 

IMAGES

 

EMAILS

DATE/TIME:  Friday 2017-04-21 as early as 14:49 UTC through at least 17:55 UTC

SUBJECT:  Report-ID: [recipient's email address] 21/04/2017

SENDING EMAIL EXAMPLES (ALL SPOOFED):

• "Parking Service" <iwudumsf850@olgroupltd.com>
• "Parking Service" <luboqyje50@rhoentaxi.de>
• "Parking Service" <mykijep06577@rotarysamui.org>
• "Parking Service" <rucuaze278437@ijirts.org>
• "Parking Service" <rwuyhe03505@sakshichemsciences.com>
• "Parking Service" <suhyxud40532787@nexusbrandconsulting.co.za>
• "Parking Service" <sype02065717@counterdepthrefrigerators.us>
• "Parking Service" <w133444@chimneyhill.com>
• "Parking Service" <xdyn573536@theelitemarketingalliance.com>
• "Parking Service" <yzuuyif7050056@emckliniek.nl>

 

TRAFFIC

EXAMPLES OF LINKS FROM THE EMAILS:

• contentcrew.co.uk - GET /wp-content/uploads/2017/04/cxtmpr/sitemap.html
• gfkam.ru - GET /media/editors/tinymce/plugins/template/sitemap.html
• gigpig.co.uk - GET /wsssepc/sitemap.html
• katydrake.co.uk - GET /tmknm/sitemap.html
• komfortservices.co.uk - GET /rhvlqxfmd/sitemap.html
• midlandaerospace.com - GET /jsfm/sitemap.html

REDIRECT FROM THE EMAIL LINKS:

• senddeliverys.com - GET /tds

FAKE PARKING SERVICES SITE:

• parking-services.us (HTTPS)

PARTIAL URLS FROM THE EXTRACTED .JS FILES FOR FOLLOWUP MALWARE:

• antenimientos.mx - GET /js/skins/silver/images/counter
• cangas.ro - GET /old/libraries/cms/version/counter
• js-electronics.be - GET /administrator/components/com_installer/models/counter
• mantenimientos.mx - GET /js/skins/silver/images/counter
• petitions.ie - GET /FULL_ROOT_FILES_30Nov16/media/com_petitions_sign/js/counter
• spiritlifestyle.org - GET /.well-known/acme-challenge/counter/counter/counter

 

FILE HASHES

FAKE INVOICES:

SHA256 hash:  20e6c812f7d8688c9ccb24cc4e9c0fa2b71f1770f38b5571a60043043d4b4ac5
File name:  Invoice.js (1st run)
Analysis at:  https://www.reverse.it/sample/20e6c812f7d8688c9ccb24cc4e9c0fa2b71f1770f38b5571a60043043d4b4ac5?environmentId=100

SHA256 hash:  6ad0e26e0423838df19f00e178e47a1b65395b2b68055ecb07a99613208cc684
File name:  Invoice.js (2nd run)
Analysis at:  https://www.reverse.it/sample/6ad0e26e0423838df19f00e178e47a1b65395b2b68055ecb07a99613208cc684?environmentId=100

FOLLOW-UP MALWARE:

SHA256 hash:  545e3817ddeafd7b8406c1de57d6ea794629bf615f22c0ed18bf88c16e2d292d
File name:  exe1.exe (1st run)
File description:  Zeus Panda Banker (KINS)

SHA256 hash:  03974017388c6085175f111ee26c3833448b0551acf11063a13a916a75844321
File name:  exe2.exe (1st run)
File description:  Kovter

SHA256 hash:  1a7fbc76c3881cd9dcf292db25790a9aba6bf677308f9ea1b8f252657bc9c16c
File name:  exe3.exe (1st run)
File description:  Smoke Loader

SHA256 hash:  a4916151059e5f4065f1fb230f06205d1c9cddc5c779984b108e77a22e7c32e9
File name:  exe1.exe (2nd run)
File description:  Zeus Panda Banker (KINS)

SHA256 hash:  b1da6f66bf8049e58f17862ea5ca30bf27054ebb132e6360a68083bab640b70f
File name:  exe2.exe (2nd run)
File description:  Kovter

SHA256 hash:  08c462be614f6ac81cf78a59f254737beabb5c2abddc5b4bf6436e7d105c204a
File name:  exe3.exe (2nd run)
File description:  Smoke Loader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-04-21-parking-service-malspam-pcaps.zip   1.7 MB (1,672,977 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-21-parking-service-malspam-tracker.csv.zip   0.9 kB (899 bytes)
• ZIP archive of the emails and artifacts/malware:  2017-04-21-parking-service-malspam-and-artifacts.zip   1.3 MB (1,272,122 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.