2017-04-21 - USPS-THEMED MALSPAM CHANGES TO PARKING SERVICE MALSPAM
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-04-21-parking-service-malspam-pcaps.zip 1.7 MB (1,672,977 bytes)
- ZIP archive of the spreadsheet tracker: 2017-04-21-parking-service-malspam-tracker.csv.zip 0.9 kB (899 bytes)
- ZIP archive of the emails and artifacts/malware: 2017-04-21-parking-service-malspam-and-artifacts.zip 1.3 MB (1,272,122 bytes)
BACKGROUND ON THIS CAMPAIGN:
- 2017-04-11 - Internet Storm Center (ISC) InfoSec Forums: Malspam on 2017-04-11 pushes yet another ransomware variant
- 2017-04-12 - BleepingComputer: Mole Ransomware Distributed Through Fake online Word Docs
- 2017-04-12 - My Online Security - More USPS delivery messages delivering mole ransomware
- 2017-04-13 - My Online Security - Changes to fake USPS delivery messages delivering malware
- 2017-04-14 - Various tweets about this campaign on Twitter as it continued through Friday.
- 2017-04-15 through 2017-04-17 - Didn't notice any emails from this campaign on Saturday, Sunday, or Monday.
- 2017-04-18 - Malware-traffic-analysis.net - USPS-themed malspam resumes after weekend break
- 2017-04-19 - Malware-traffic-analysis.net - USPS-themed malspam continues pushing Panda Banker, Kovter, and Miuref
NOTES FOR TODAY:
- On 2017-04-21, the USPS-themed malspam campaign I've been reporting about changed to Parking Service-themed malspam
- Today, it was pushing Zeus Panda Banker (KINS), Kovter, and Smoke Loader
IMAGES
EMAILS
DATE/TIME: Friday 2017-04-21 as early as 14:49 UTC through at least 17:55 UTC
SUBJECT: Report-ID: [recipient's email address] 21/04/2017
SENDING EMAIL EXAMPLES (ALL SPOOFED):
- "Parking Service" <iwudumsf850@olgroupltd.com>
- "Parking Service" <luboqyje50@rhoentaxi.de>
- "Parking Service" <mykijep06577@rotarysamui.org>
- "Parking Service" <rucuaze278437@ijirts.org>
- "Parking Service" <rwuyhe03505@sakshichemsciences.com>
- "Parking Service" <suhyxud40532787@nexusbrandconsulting.co.za>
- "Parking Service" <sype02065717@counterdepthrefrigerators.us>
- "Parking Service" <w133444@chimneyhill.com>
- "Parking Service" <xdyn573536@theelitemarketingalliance.com>
- "Parking Service" <yzuuyif7050056@emckliniek.nl>
TRAFFIC
EXAMPLES OF LINKS FROM THE EMAILS:
- contentcrew.co.uk - GET /wp-content/uploads/2017/04/cxtmpr/sitemap.html
- gfkam.ru - GET /media/editors/tinymce/plugins/template/sitemap.html
- gigpig.co.uk - GET /wsssepc/sitemap.html
- katydrake.co.uk - GET /tmknm/sitemap.html
- komfortservices.co.uk - GET /rhvlqxfmd/sitemap.html
- midlandaerospace.com - GET /jsfm/sitemap.html
REDIRECT FROM THE EMAIL LINKS:
- senddeliverys.com - GET /tds
FAKE PARKING SERVICES SITE:
- parking-services.us (HTTPS)
PARTIAL URLS FROM THE EXTRACTED .JS FILES FOR FOLLOWUP MALWARE:
- antenimientos.mx - GET /js/skins/silver/images/counter
- cangas.ro - GET /old/libraries/cms/version/counter
- js-electronics.be - GET /administrator/components/com_installer/models/counter
- mantenimientos.mx - GET /js/skins/silver/images/counter
- petitions.ie - GET /FULL_ROOT_FILES_30Nov16/media/com_petitions_sign/js/counter
- spiritlifestyle.org - GET /.well-known/acme-challenge/counter/counter/counter
FILE HASHES
FAKE INVOICES:
SHA256 hash: 20e6c812f7d8688c9ccb24cc4e9c0fa2b71f1770f38b5571a60043043d4b4ac5
File name: Invoice.js (1st run)
Analysis at: https://www.reverse.it/sample/20e6c812f7d8688c9ccb24cc4e9c0fa2b71f1770f38b5571a60043043d4b4ac5?environmentId=100
SHA256 hash: 6ad0e26e0423838df19f00e178e47a1b65395b2b68055ecb07a99613208cc684
File name: Invoice.js (2nd run)
Analysis at: https://www.reverse.it/sample/6ad0e26e0423838df19f00e178e47a1b65395b2b68055ecb07a99613208cc684?environmentId=100
FOLLOW-UP MALWARE:
SHA256 hash: 545e3817ddeafd7b8406c1de57d6ea794629bf615f22c0ed18bf88c16e2d292d
File name: exe1.exe (1st run)
File description: Zeus Panda Banker (KINS)
SHA256 hash: 03974017388c6085175f111ee26c3833448b0551acf11063a13a916a75844321
File name: exe2.exe (1st run)
File description: Kovter
SHA256 hash: 1a7fbc76c3881cd9dcf292db25790a9aba6bf677308f9ea1b8f252657bc9c16c
File name: exe3.exe (1st run)
File description: Smoke Loader
SHA256 hash: a4916151059e5f4065f1fb230f06205d1c9cddc5c779984b108e77a22e7c32e9
File name: exe1.exe (2nd run)
File description: Zeus Panda Banker (KINS)
SHA256 hash: b1da6f66bf8049e58f17862ea5ca30bf27054ebb132e6360a68083bab640b70f
File name: exe2.exe (2nd run)
File description: Kovter
SHA256 hash: 08c462be614f6ac81cf78a59f254737beabb5c2abddc5b4bf6436e7d105c204a
File name: exe3.exe (2nd run)
File description: Smoke Loader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-04-21-parking-service-malspam-pcaps.zip 1.7 MB (1,672,977 bytes)
- ZIP archive of the spreadsheet tracker: 2017-04-21-parking-service-malspam-tracker.csv.zip 0.9 kB (899 bytes)
- ZIP archive of the emails and artifacts/malware: 2017-04-21-parking-service-malspam-and-artifacts.zip 1.3 MB (1,272,122 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.