Malware-Traffic-Analysis.net - 2017-04-26 - USPS-themed malspam pushes Mole Ransomware and Kovter

2017-04-26 - USPS-THEMED MALSPAM PUSHES MOLE RANSOMWARE AND KOVTER

ASSOCIATED FILES:

ZIP archive of the pcaps: 2017-04-26-USPS-malspam-pcaps.zip 923 kB (921,841 bytes)
ZIP archive of the spreadsheet tracker: 2017-04-26-USPS-malspam-tracker.csv.zip 3.3 kB (3,330 bytes)
ZIP archive of the emails and artifacts/malware: 2017-04-26-USPS-malspam-emails-and-artifacts.zip 1.2 MB (1,198,524 bytes)

BACKGROUND ON THIS CAMPAIGN:

My in-depth write-up on this campaign is at: Mole Ransomware: How One Malicious Spam Campaign Quickly Increased Complexity and Changed Tactics

2017-04-11 - Internet Storm Center (ISC) InfoSec Forums: Malspam on 2017-04-11 pushes yet another ransomware variant
2017-04-12 - BleepingComputer: Mole Ransomware Distributed Through Fake online Word Docs
2017-04-12 - My Online Security - More USPS delivery messages delivering mole ransomware
2017-04-13 - My Online Security - Changes to fake USPS delivery messages delivering malware
2017-04-18 - Malware-traffic-analysis.net - USPS-themed malspam resumes after weekend break
2017-04-19 - My Online Security - More USPS delivering Zbot Zeus Panda via fake Word online sites
2017-04-19 - Malware-traffic-analysis.net - USPS-themed malspam continues pushing Panda Banker, Kovter, and Miuref
2017-04-21 - Malware-traffic-analysis.net - USPS-themed malspam changes to Parking Service malspam

NOTES FOR TODAY:

The last time I looked into this, it was "Parking Service" malspam.
Today, we're back to USPS-themed malspam linking to fake Word Online sites for zipped .js files disguised as Office plugins.
Each downloaded zip archive is a different file name and a different file hash (same with the extracted .js files).
I only saw Mole ransomware (exe1.exe) and Kovter (exe2.exe) as the follow-up malware today.

Shown above: Flowchart for this infection traffic.

EMAILS

Shown above: Example from one of the emails seen today.

DATES/TIMES:

Wednesday 2017-04-26 as early as 12:28 UTC through at least 21:54 UTC

EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):

"USPS Express Delivery" <henohe32@caverntours.com>
"USPS Express Delivery" <kafweh515171@audioactivesound.com>
"USPS Express Delivery" <lai82@impresos-gdl.com>
"USPS Express Delivery" <sesaifud45660083@tangentindia.com>
"USPS Express Delivery" <viyhye183@kcn.jp>
"USPS Express Delivery" <vyjaqpu3707847@winebox.com>
"USPS Express Delivery" <xokfiuf15355858@bariartesanias.com.ar>
"USPS Ground Support" <ginutro7@pan-americana.com>
"USPS Ground Support" <heuyj77035@annebonthuis.nl>
"USPS Ground Support" <ppus053130@asante.org>
"USPS Ground Support" <yreiwvgo05@lancasterchambersc.com>
"USPS Ground" <bftany5074720@nationalpeening.com>
"USPS Ground" <pyuijuwx03637@vividdragon.com>
"USPS Ground" <rae86462653@roviba.com>
"USPS Ground" <uhonatom64@hkduroparts.com>
"USPS Ground" <wpyvehel0435183@martyfriedel.com>
"USPS Ground" <wysk7615566@ccwest.com>
"USPS Home Delivery" <ztqwyhov8670001@themcsgroup.com>
"USPS International" <einw2840584@coreheatingandplumbing.co.uk>
"USPS International" <obziuda01010226@emailsend.com.au>
"USPS International" <unyyy47534@wmusic.com.cn>
"USPS Parcels Delivery" <gragro6666344@taxatienieuws.nl>
"USPS Parcels Delivery" <qis32113374@austindevelopments.com.au>
"USPS Parcels Delivery" <xnzckreg26778165@nebo.edu>
"USPS Priority Delivery" <aj0@arvakinsurancegroup.com>
"USPS Priority Delivery" <ebipc68814@sodahub.in>
"USPS Priority Parcels" <ihpuod25880856@fengshui-gateway.com>
"USPS Priority Parcels" <oofaoirx24660673@oakleafproperties.com>
"USPS Priority Parcels" <zgqyzip46533540@auth0rity.com>
"USPS Priority" <gmtimgok26405527@cei.org>
"USPS Priority" <gukoldv52771@marlinchemical.net>
"USPS Priority" <maknoat50@villageacupunctureandmassage.com>
"USPS Priority" <tea01227@dutchmanwoodworks.com>
"USPS SameDay" <igaraki785@cpd.ci.concord.ca.us>
"USPS SameDay" <oejjouut6583@russquackenbush.com>
"USPS Station Management" <iujhahzd87632020@seafaring.ru>
"USPS Station Management" <pujoqeys4@leydinfreyer.com.au>
"USPS Support Management" <rnfynmrk1068052@blumentur.com.br>
"USPS Support Management" <yhu024517@ssheladia.com>
"USPS Support" <bigafith33784567@yeweyih.com.tw>
"USPS Support" <lyxrinyt06306284@energy-store.it>
"USPS Support" <p1470@exidasp.ca>
"USPS Support" <ybuozwga0047@acme-atlanta.com>
"USPS TechConnect" <eeupuaj58468604@stjoanhershey.org>
"USPS TechConnect" <iwwj34280@byington.net>
"USPS TechConnect" <ovwooud87864426@grandrapidssolargard.com>

EXAMPLES OF SUBJECT LINES:

ATTENTION REQUIRED: PROBLEMS WITH YOUR ITEM
AUTOMATED letter: moneyback info
AUTOMATED notice regarding your order's location
AUTOMATED notification concerning your shipment's location
AUTOMATED USPS EMAIL CONCERNING YOUR SHIPMENT
AUTOMATED USPS OFFICIAL LETTER REGARDING YOUR PARCEL
AUTOMATIC notification: moneyback info
AUTOMATIC USPS EMAIL IN REGARDS TO YOUR ORDER
AUTOMATIC USPS OFFICIAL LETTER IN REGARDS TO YOUR PARCEL
IMMEDIATE ACTION REQUIRED: your parcel's been postponed
IMMEDIATE ATTENTION NEEDED: your shipment's been delayed
IMPORTANT USPS MONEYBACK INFO
IMPORTANT USPS MONEYBACK INFO CONCERNING YOUR ITEM
IMPORTANT USPS system letter
IMPORTANT: notice of delay of your package
IMPORTANT: notice of delay of your parcel
Major problems reported to the USPS support team
Official letter from USPS support team
Official notice from USPS support team
Official notification concerning your item
Official notification in regards to your package
OFFICIAL USPS customer support letter
OFFICIAL USPS MONEYBACK INFORMATION
Official USPS notification in regards to your order
OFFICIAL USPS REFUND INFORMATION
PROMPT ACTION REQUIRED: your order's been postponed
PROMPT ATTENTION NEEDED: your item's been delayed
PROMPT ATTENTION NEEDED: your shipment's been postponed
There has been an issue with your order
There has been an issue with your shipment
There's been an issue with your package
URGENT: notification of delay of your order
URGENT: notification of delay of your package
USPS customer support letter: your package has been delayed
USPS customer support team notification: your parcel has been postponed
USPS official notice: big trouble with your order
USPS official notification: serious problems with your shipment
USPS OFFICIAL STATEMENT regarding your item
USPS support notice: your shipment has been delayed
USPS support statement: your shipment has been delayed
USPS USER IMPORANT NEW INFORMATION IN REGARDS TO YOUR SHIPMENT
WARNING: INFO ON A IMPENDING REFUND
WARNING: you are legally obliged to review the status of your item
WARNING: you are required to check the status of your shipment

TRAFFIC

Shown above: Traffic from an infection filtered in Wireshark.

LINKS FROM THE EMAILS:

www.apui95.org - GET /download/lsf/53904208ab.html
www.arcoglass.net - GET /3f60caba08.html
www.ashnoortex.quantapress.com - GET /55351bbf17.html
www.autumnmoon.ca - GET /wp-content/423fd4e375.html
www.avukatiarama.com - GET /wp-content/uploads/2017/04/2f8d830cb0.html
www.bgbaligatraveldiary.com - GET /wp-content/uploads/1f91a1c9ee.html
www.bondhucomputers.com - GET /wp-content/uploads/9b759cb904.html
www.cisportstherapy.com - GET /wp-content/53904208ab.html
www.crmgestao.com.br - GET /wp-content/themes/converio/02186564fe.html
www.develop.com.vc - GET /wp-content/themes/develop/fa7651d6c6.html
www.fancytiehtx.com - GET /wp-content/plugins/wraper/91039cc1b6.html
www.felixsolis.mobi - GET /2a48c06f46.html
www.focalpointbdg.com - GET /wp-content/plugins/278498c41a.html
www.forkliftlastik.org - GET /wp-content/themes/minimize/9b759cb904.html
www.gonzalez-santiago.com - GET /photog/05bd94a5e0.html
www.imtsus.com - GET /wp-content/plugins/wp-blog/2a48c06f46.html
www.informatica-ag.it - GET /wp-content/uploads/58de0d46db.html
www.kardeslermobilyaizmir.com - GET /2a48c06f46.html
www.laboratorioweb.net - GET /wp-content/9b759cb904.html
www.latifekuskay.com - GET /wp-content/plugins/b670991e46.html
www.nti-rechten.nl - GET /wp-content/uploads/2017/04/c75ab8fb60.html
www.pankajevents.com - GET /wp-content/plugins/wraper/3f60caba08.html
www.pichat.info - GET /098925327d.html
www.sailingmonea.com - GET /wp-content/uploads/62fd619f6e.html
www.shenzhen-mro.com - GET /modules/mod_ariimageslidersa/c5f6be8373.html
www.sotex.de - GET /0659cc424a.html
www.spaziosportsrl.com - GET /wp-content/themes/sketch/2f8d830cb0.html
www.teapotcollector.org - GET /wp-content/plugins/wraper/a4b3cada4b.html
www.trikolkysmile.cz - GET /css/67ed877d86.html
www.uiccoin.org - GET /9c1dfb513b.html

REDIRECT:

185.189.14.112 port 80 - servisedelivery.com - GET /tds
185.189.14.112 port 80 - servisedelivery.com - GET /tds/

FAKE WORD ONLINE SITE:

185.189.14.112 port 80 - statusdelivery.com - GET /bot14/lgen.php
185.189.14.112 port 80 - statusdelivery.com - GET /bot14/jgen.php

PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE:

atrium-nieruchomosci.pl - GET /js/js/jscalendar-1.0/lang/counter
js-electronics.be - GET /tmp/yoo_venture_j25/warp/libraries/counter
lecamorariu.ro - GET /counter
protectie-electromagnetica.ro - GET /wp-content/themes/twentythirteen/languages/counter
smulpapentocht.be - GET /administrator/templates/hathor/less/counter

MOLE RANSOMWARE POST-INFECTION TRAFFIC:

94.198.98.20 port 80 - 94.198.98.20 - GET /images/gif/info-static.php

EMAIL ADDRESSES FROM THE MOLE RANSOMWARE DECRYPTION INSTRUCTIONS:

AugustSteen@writeme.com
auguststeen@india.com

SOME OF THE KOVTER POST-INFECTION TRAFFIC:

119.81.249.228 port 80 - 119.81.249.228 - POST /
46.211.17.153 port 80 - 46.211.17.153 - POST /
various IP addresses over port 443 and 8080 - Attempted TCP connections

MALWARE

Shown above: Zip archive disguised as an Office plugin downloaded from today's fake Word Online page.

Shown above: Each downloaded zip archive contains a .js file.

SAMPLES OF ZIP ARCHIVES DOWNLOADED FROM THE FAKE WORD ONLINE SITE:

31e56d6c14ce7c080b892d121268f30f5c37501773c82ec21fd25963b98d8238 - plugin_KB_47092.zip
5278a3a1ce4f2ffb6edf5cc6a1cb6b56477f8e87d7e151998b45b1d6ff685a19 - plugin_KB_57676.zip
e0818a03a897f47113970e21b575f9725eac608b1dc4eda4f3470ea3d25f8199 - plugin_KB_66614.zip
d405a7811ce8341c258fabf05da6d88a9b204b9b9c47bedbefe40a318d0f5d8e - plugin_KB_72013.zip
f69b69ac673ffee8473950360e8296d855cb75f6d6ab00cde5d0c4c58c6b7c8c - plugin_KB_81638.zip
49b9050e71aa65568e99125bc40abd5984382db5d39dcd55a2409664ca948999 - plugin_KB_89567.zip
1e5aac17ab222e7351b08fd95503839414e75f80ea318212950f81a8c826cba8 - plugin_KB_92384.zip

.JS FILES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

0f6ec40363f669ff8c2a040cea7519f3d2ec44d30549ae8824e84781173dca25 - plugin_KB_47092.js
5d94ed7fc42411bc5f807ec869800533ad718bafb93c5942cbf7766dacf8a29e - plugin_KB_57676.js
7ee8913af927d70ef84e1ffb8a132cf554e04a388900ba733f651eb685bf8a17 - plugin_KB_66614.js
8dce263108614871fd3f6a799279c1da7e7d26ef1544183976dd692b86da5c6c - plugin_KB_72013.js
8e61d88a02736abb8e1ba76d80f12ba68bb4e4e914be8c5049b0358e3a31e2e9 - plugin_KB_81638.js
14ea062ca146ed50b89faf437bb801367788e95857f73c92c5fbada47525fda4 - plugin_KB_89567.js
94aaf6ff9192056b6177531b391ea00a701ee8fbb35ba26946ca8710d1eb9c13 - plugin_KB_92384.js

SAMPLES OF MALWARE DOWNLOADED BY THE .JS FILES:

0a3c26a388e6ede8e08a33ddc3c9aece079d5d6c752854e16d216e134ed3d357 - exe1.exe - Mole ransomware
f9babd5f229b59221245ac36506c4524ff7ee362a8d5c126004ace4035f53918 - exe1.exe - Mole ransomware
1ba0eeecd16eb7e3a7753f5fb93e95e13de6fc42de684bb7eaf0b6dfe4d94278 - exe2.exe - Kovter
acef8f1ccc857e4bb97ae80fcec4b1f50c76c6888a030ece66c9d53ebebbcde7 - exe2.exe - Kovter
dc46009d1a33ba4ad8272f3e13b226825cdcb70ba4b3d20ae7e054e0a8adbf1d - exe2.exe - Kovter

IMAGES

Shown above: Screenshot of an infected Windows desktop.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2017-04-26-USPS-malspam-pcaps.zip 923 kB (921,841 bytes)
ZIP archive of the spreadsheet tracker: 2017-04-26-USPS-malspam-tracker.csv.zip 3.3 kB (3,330 bytes)
ZIP archive of the emails and artifacts/malware: 2017-04-26-USPS-malspam-emails-and-artifacts.zip 1.2 MB (1,198,524 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.