2017-04-26 - USPS-THEMED MALSPAM PUSHES MOLE RANSOMWARE AND KOVTER
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-04-26-USPS-malspam-pcaps.zip 923 kB (921,841 bytes)
- ZIP archive of the spreadsheet tracker: 2017-04-26-USPS-malspam-tracker.csv.zip 3.3 kB (3,330 bytes)
- ZIP archive of the emails and artifacts/malware: 2017-04-26-USPS-malspam-emails-and-artifacts.zip 1.2 MB (1,198,524 bytes)
BACKGROUND ON THIS CAMPAIGN:
- My in-depth write-up on this campaign is at: Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics
- 2017-04-11 - Internet Storm Center (ISC) InfoSec Forums: Malspam on 2017-04-11 pushes yet another ransomware variant
- 2017-04-12 - BleepingComputer: Mole Ransomware Distributed Through Fake online Word Docs
- 2017-04-12 - My Online Security - More USPS delivery messages delivering mole ransomware
- 2017-04-13 - My Online Security - Changes to fake USPS delivery messages delivering malware
- 2017-04-18 - Malware-traffic-analysis.net - USPS-themed malspam resumes after weekend break
- 2017-04-19 - My Online Security - More USPS delivering Zbot Zeus Panda via fake Word online sites
- 2017-04-19 - Malware-traffic-analysis.net - USPS-themed malspam continues pushing Panda Banker, Kovter, and Miuref
- 2017-04-21 - Malware-traffic-analysis.net - USPS-themed malspam changes to Parking Service malspam
NOTES FOR TODAY:
- The last time I looked into this, it was "Parking Service" malspam.
- Today, we're back to USPS-themed malspam linking to fake Word Online sites for zipped .js files disguised as Office plugins.
- Each downloaded zip archive is a different file name and a different file hash (same with the extracted .js files).
- I only saw Mole ransomware (exe1.exe) and Kovter (exe2.exe) as the follow-up malware today.
Shown above: Flowchart for this infection traffic.
EMAILS
Shown above: Example from one of the emails seen today.
DATES/TIMES:
- Wednesday 2017-04-26 as early as 12:28 UTC through at least 21:54 UTC
EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):
- "USPS Express Delivery" <henohe32@caverntours.com>
- "USPS Express Delivery" <kafweh515171@audioactivesound.com>
- "USPS Express Delivery" <lai82@impresos-gdl.com>
- "USPS Express Delivery" <sesaifud45660083@tangentindia.com>
- "USPS Express Delivery" <viyhye183@kcn.jp>
- "USPS Express Delivery" <vyjaqpu3707847@winebox.com>
- "USPS Express Delivery" <xokfiuf15355858@bariartesanias.com.ar>
- "USPS Ground Support" <ginutro7@pan-americana.com>
- "USPS Ground Support" <heuyj77035@annebonthuis.nl>
- "USPS Ground Support" <ppus053130@asante.org>
- "USPS Ground Support" <yreiwvgo05@lancasterchambersc.com>
- "USPS Ground" <bftany5074720@nationalpeening.com>
- "USPS Ground" <pyuijuwx03637@vividdragon.com>
- "USPS Ground" <rae86462653@roviba.com>
- "USPS Ground" <uhonatom64@hkduroparts.com>
- "USPS Ground" <wpyvehel0435183@martyfriedel.com>
- "USPS Ground" <wysk7615566@ccwest.com>
- "USPS Home Delivery" <ztqwyhov8670001@themcsgroup.com>
- "USPS International" <einw2840584@coreheatingandplumbing.co.uk>
- "USPS International" <obziuda01010226@emailsend.com.au>
- "USPS International" <unyyy47534@wmusic.com.cn>
- "USPS Parcels Delivery" <gragro6666344@taxatienieuws.nl>
- "USPS Parcels Delivery" <qis32113374@austindevelopments.com.au>
- "USPS Parcels Delivery" <xnzckreg26778165@nebo.edu>
- "USPS Priority Delivery" <aj0@arvakinsurancegroup.com>
- "USPS Priority Delivery" <ebipc68814@sodahub.in>
- "USPS Priority Parcels" <ihpuod25880856@fengshui-gateway.com>
- "USPS Priority Parcels" <oofaoirx24660673@oakleafproperties.com>
- "USPS Priority Parcels" <zgqyzip46533540@auth0rity.com>
- "USPS Priority" <gmtimgok26405527@cei.org>
- "USPS Priority" <gukoldv52771@marlinchemical.net>
- "USPS Priority" <maknoat50@villageacupunctureandmassage.com>
- "USPS Priority" <tea01227@dutchmanwoodworks.com>
- "USPS SameDay" <igaraki785@cpd.ci.concord.ca.us>
- "USPS SameDay" <oejjouut6583@russquackenbush.com>
- "USPS Station Management" <iujhahzd87632020@seafaring.ru>
- "USPS Station Management" <pujoqeys4@leydinfreyer.com.au>
- "USPS Support Management" <rnfynmrk1068052@blumentur.com.br>
- "USPS Support Management" <yhu024517@ssheladia.com>
- "USPS Support" <bigafith33784567@yeweyih.com.tw>
- "USPS Support" <lyxrinyt06306284@energy-store.it>
- "USPS Support" <p1470@exidasp.ca>
- "USPS Support" <ybuozwga0047@acme-atlanta.com>
- "USPS TechConnect" <eeupuaj58468604@stjoanhershey.org>
- "USPS TechConnect" <iwwj34280@byington.net>
- "USPS TechConnect" <ovwooud87864426@grandrapidssolargard.com>
EXAMPLES OF SUBJECT LINES:
- ATTENTION REQUIRED: PROBLEMS WITH YOUR ITEM
- AUTOMATED letter: moneyback info
- AUTOMATED notice regarding your order's location
- AUTOMATED notification concerning your shipment's location
- AUTOMATED USPS EMAIL CONCERNING YOUR SHIPMENT
- AUTOMATED USPS OFFICIAL LETTER REGARDING YOUR PARCEL
- AUTOMATIC notification: moneyback info
- AUTOMATIC USPS EMAIL IN REGARDS TO YOUR ORDER
- AUTOMATIC USPS OFFICIAL LETTER IN REGARDS TO YOUR PARCEL
- IMMEDIATE ACTION REQUIRED: your parcel's been postponed
- IMMEDIATE ATTENTION NEEDED: your shipment's been delayed
- IMPORTANT USPS MONEYBACK INFO
- IMPORTANT USPS MONEYBACK INFO CONCERNING YOUR ITEM
- IMPORTANT USPS system letter
- IMPORTANT: notice of delay of your package
- IMPORTANT: notice of delay of your parcel
- Major problems reported to the USPS support team
- Official letter from USPS support team
- Official notice from USPS support team
- Official notification concerning your item
- Official notification in regards to your package
- OFFICIAL USPS customer support letter
- OFFICIAL USPS MONEYBACK INFORMATION
- Official USPS notification in regards to your order
- OFFICIAL USPS REFUND INFORMATION
- PROMPT ACTION REQUIRED: your order's been postponed
- PROMPT ATTENTION NEEDED: your item's been delayed
- PROMPT ATTENTION NEEDED: your shipment's been postponed
- There has been an issue with your order
- There has been an issue with your shipment
- There's been an issue with your package
- URGENT: notification of delay of your order
- URGENT: notification of delay of your package
- USPS customer support letter: your package has been delayed
- USPS customer support team notification: your parcel has been postponed
- USPS official notice: big trouble with your order
- USPS official notification: serious problems with your shipment
- USPS OFFICIAL STATEMENT regarding your item
- USPS support notice: your shipment has been delayed
- USPS support statement: your shipment has been delayed
- USPS USER IMPORANT NEW INFORMATION IN REGARDS TO YOUR SHIPMENT
- WARNING: INFO ON A IMPENDING REFUND
- WARNING: you are legally obliged to review the status of your item
- WARNING: you are required to check the status of your shipment
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS FROM THE EMAILS:
- www.apui95.org - GET /download/lsf/53904208ab.html
- www.arcoglass.net - GET /3f60caba08.html
- www.ashnoortex.quantapress.com - GET /55351bbf17.html
- www.autumnmoon.ca - GET /wp-content/423fd4e375.html
- www.avukatiarama.com - GET /wp-content/uploads/2017/04/2f8d830cb0.html
- www.bgbaligatraveldiary.com - GET /wp-content/uploads/1f91a1c9ee.html
- www.bondhucomputers.com - GET /wp-content/uploads/9b759cb904.html
- www.cisportstherapy.com - GET /wp-content/53904208ab.html
- www.crmgestao.com.br - GET /wp-content/themes/converio/02186564fe.html
- www.develop.com.vc - GET /wp-content/themes/develop/fa7651d6c6.html
- www.fancytiehtx.com - GET /wp-content/plugins/wraper/91039cc1b6.html
- www.felixsolis.mobi - GET /2a48c06f46.html
- www.focalpointbdg.com - GET /wp-content/plugins/278498c41a.html
- www.forkliftlastik.org - GET /wp-content/themes/minimize/9b759cb904.html
- www.gonzalez-santiago.com - GET /photog/05bd94a5e0.html
- www.imtsus.com - GET /wp-content/plugins/wp-blog/2a48c06f46.html
- www.informatica-ag.it - GET /wp-content/uploads/58de0d46db.html
- www.kardeslermobilyaizmir.com - GET /2a48c06f46.html
- www.laboratorioweb.net - GET /wp-content/9b759cb904.html
- www.latifekuskay.com - GET /wp-content/plugins/b670991e46.html
- www.nti-rechten.nl - GET /wp-content/uploads/2017/04/c75ab8fb60.html
- www.pankajevents.com - GET /wp-content/plugins/wraper/3f60caba08.html
- www.pichat.info - GET /098925327d.html
- www.sailingmonea.com - GET /wp-content/uploads/62fd619f6e.html
- www.shenzhen-mro.com - GET /modules/mod_ariimageslidersa/c5f6be8373.html
- www.sotex.de - GET /0659cc424a.html
- www.spaziosportsrl.com - GET /wp-content/themes/sketch/2f8d830cb0.html
- www.teapotcollector.org - GET /wp-content/plugins/wraper/a4b3cada4b.html
- www.trikolkysmile.cz - GET /css/67ed877d86.html
- www.uiccoin.org - GET /9c1dfb513b.html
REDIRECT:
- 185.189.14.112 port 80 - servisedelivery.com - GET /tds
- 185.189.14.112 port 80 - servisedelivery.com - GET /tds/
FAKE WORD ONLINE SITE:
- 185.189.14.112 port 80 - statusdelivery.com - GET /bot14/lgen.php
- 185.189.14.112 port 80 - statusdelivery.com - GET /bot14/jgen.php
PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE:
- atrium-nieruchomosci.pl - GET /js/js/jscalendar-1.0/lang/counter
- js-electronics.be - GET /tmp/yoo_venture_j25/warp/libraries/counter
- lecamorariu.ro - GET /counter
- protectie-electromagnetica.ro - GET /wp-content/themes/twentythirteen/languages/counter
- smulpapentocht.be - GET /administrator/templates/hathor/less/counter
MOLE RANSOMWARE POST-INFECTION TRAFFIC:
- 94.198.98.20 port 80 - 94.198.98.20 - GET /images/gif/info-static.php
EMAIL ADDRESSES FROM THE MOLE RANSOMWARE DECRYPTION INSTRUCTIONS:
- A u g u s t S t e e n @ w r i t e m e . c o m