2017-06-01 - ZEUS PANDA BANKER INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-01-Zeus-Panda-Banker-infection-traffic.pcap.zip   3.4 MB (3,400,817 bytes)

• 2017-06-01-Zeus-Panda-Banker-infection-traffic.pcap   (3,978,012 bytes)

• 2017-06-01-malware-from-Zeus-Panda-Banker-infection.zip   388.4 kB (388,402 bytes)

• TPD64730435.zip   (26,605 bytes)
• Traffic_Police_Department - Parking_Ticket_Information.doc   (68,096 bytes)
• suchka.exe   (188,417 bytes)
• upd59213af8.exe   (299,008 bytes)

NOTES:

• This Zeus Panda Banker infection originated from a wave of parking ticket-themed malspam using links to Google Docs URLs that host zip archives containing Word documents.
• The Word documents have macros that, if enabled, attempt to download and install Zeus Panda Banker.
• My sincere hanks to the person who emailed me information about this wave of malspam.  You know who you are!
• The emails are signed "Sincerely, Traffic Police." 

Shown above:  This is how I like traffic police...  Brash and sassy.

 

EMAIL

Shown above:  Screen shot from one of the emails.

 

Shown above:  Example of email headers (1 of 2).

 

Shown above:  Example of email headers (2 of 2).

 

EMAIL HEADERS:

• Date:  As early as Wendesday 2017-05-31 at 22:57 UTC through at least Thursday 2017-06-01 at 14:15 UTC

• Subject:  Parking fine number info
• Subject:  Parking fine number information
• Subject:  Parking fine #64731962
• Subject:  Parking fine #64732133
• Subject:  Parking fine #64732399
• Subject:  Parking fine #64733708
• Subject:  Parking fine #64733752
• Subject:  Parking fine #64733924
• Subject:  Parking fine #64733997
• Subject:  Parking fine #64734291
• Subject:  Parking fine #64734709
• Subject:  Parking fine #64735028
• Subject:  Parking fine #64735308
• Subject:  Parking fine #64735557
• Subject:  Parking fine #64736451
• Subject:  Parking fine #64737103
• Subject:  Parking fine #64737716
• Subject:  Parking fine #64739852
• Subject:  Parking ticket

• From:  150730@linwebng13.hostingspace[.]pro
• From:  559274@pemlinng025.blacknight[.]com
• From:  absalarm.dk@linux9.unoeuro[.]com
• From:  apache@mc1.molalla[.]net
• From:  bobeh@www.icpontalpi[.]org
• From:  crownsol@chewbacca.zuver[.]net[.]au
• From:  dmktmx@as1r2051.servwingu[.]mx
• From:  dwfcz@tutor360[.]it
• From:  from-okinawa@sv155.xserver[.]jp
• From:  fvuzv@www.eknz[.]cz
• From:  garsia94__garsia94tbgettru__rq@rauf3.beget[.]ru
• From:  lilkana@sv007.rocketnet[.]jp
• From:  lubpz@armazem398[.]com[.]br
• From:  nsvps_brainwave@ps406045.dreamhostps[.]com
• From:  rbagroltd@hestia-la.thewebhostserver[.]com
• From:  techadvi@cp10-jhb.za-dns[.]com
• From:  thomas.a.weber@t-online[.]de

 

MALWARE

Shown above:  Downloading the zip archive from a link in one of the emails to Google Docs.

 

Shown above:  The zip archive contained a Word document with malicious macros.

 

ZIP ARCHIVE DOWNLOADED FROM GOOGLE DOCS LINK IN ONE OF THE EMAILS:

• SHA256 hash:  75c9cea38806c0a04aa498b9732a04e1da77091353a68e6b4edfc868d7edeb0c
  File size:  26,605 bytes
  File name:  TPD64730435.zip

WORD DOCUMENT EXTRACTED FROM ZIP ARCHIVE:

• SHA256 hash:  68feb6fb94c52220c2238674ba8232e7b7b1233728fc34707ccde3cb8318f993
  File size:  68,096 bytes
  File name:  Traffic_Police_Department - Parking_Ticket_Information.doc

FILE DOWNLOADED BY THE WORD MACROS:

• SHA256 hash:  520e78f7c5f55de70c15031db0c2aad2a3708fcceb5198c24628d497093c4ae0
  File size:  188,417 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\suchka.exe

FOLLOW-UP MALWARE NOTED AFTER THE INITIAL INFECTION:

• SHA256 hash:  00fa65c8fced0abfab3f544801014a349f7d960819d8d79c47abe090bd75ccfc
  File size:  299,008 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\upd59213af8.exe
  File location:  C:\Users\[username]\AppData\Roaming\Adobe\Flash Player\Desktop (create shortcut).exe

Shown above:  Follow-up malware made persistent on the infected host.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

• docs.google[.]com - GET /uc?authuser=0&id=0B3ERzBB9Gk_Na203em9CcjNMSXc&export=download     [HTTPS request for the initial zip archive]
• 141.8.195[.]82 port 80 - pidars[.]info - GET /index.php     [HTTP request for the malware binary]
• 5.8.88[.]39 port 443 - chibasuka[.]top - HTTPS/SSL/TLS traffic     [several connections]
• google[.]com - GET /     [Connectivity check by the infected host]

 

Click here to return to the main page.