2017-06-16 - INFOSTEALER INFECTION FROM BRAZIL MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-16-infection-from-Brazil-infostealer-2-pcaps.zip   3.4 MB (3,393,254 bytes)

• 2017-06-16-traffic-from-link-in-PDF-attachment.pcap   (19,376 bytes)
• 2017-06-16-Brazil-infostealer-full-infection.pcap   (3,974,698 bytes)

• 2017-06-16-Brazil-infostealer-email-and-malware.zip   4.9 MB (4,895,806 bytes)

• 16062017329800998812303133716062017.pdf   (46,862 bytes)
• 1606201732980099881230313371606201722085.vbs   (2,724 bytes)
• 2017-06-16-0830-UTC-Boleto-malspam.eml   (65,354 bytes)
• 2017-06-16-Boleto-malspam-artifacts-information.csv   (1,820 bytes)
• Ionic.Zip.Reduced.dll   (253,440 bytes)
• JAGGER-PC.aes   (16 bytes)
• JAGGER-PC.zip   (3,281,415 bytes)
• JAGGER-PCx.ocx   (384 bytes)
• SYSJAGGERPC53.xml   (3,366 bytes)
• c.cer   (905 bytes)
• crov.exe   (1,690,096 bytes)
• dll.dll.exe   (396,480 bytes)
• dzfftfff.0li.vbs   (114 bytes)
• eddfxv0i.ptn.vbs   (130 bytes)
• ps.exe   (452,608 bytes)

NOTES:

• It's been a while since I last documented this campaign back in January 2017 (link) and September 2016 before that (link).
• Unlike the emails I saw last year, there's now a PDF attachment included.
• The PDF attachment has a different link than the email, but they both redirect to the same bit.ly URL to send the same malware.
• Most of the artifacts found on the infected host are not inherently malicious.  It's just the way they're being used.

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Sending mail server:  gruporecovery[.]ltda
• From:  Boleto MICK <sender@gruporecovery[.]ltda>
• Subject:  Envio de Boleto - URGENTE - RECOVERY
• Message-ID:  <20170616090038.A45276667E@gruporecovery[.]ltda>
• Date: Fri, 16 Jun 2017 08:30:50 UTC
• Attachment name:  16062017329800998812303133716062017.pdf
• Link from the message:  5W9u7NP1.i7o8e15brw3eed5jabzl9hu3zuxx1o8l[.]top/3LSVdZ.php?3LSVdZ=5W9u7NP1MICK

 

ATTACHMENT

Shown above:  PDF attachment has a different link than the email.

 

Shown above:  However, it redirects to the same bit[.]ly and gfonseca.sslblindado[.]com URLs as the link from the email.

 

Shown above:  The downloaded VBS file.

 

TRAFFIC

Shown above:  Traffic from link in the PDF file, filtered in Wireshark (stopped after grabbing the .vbs file).

 

Shown above:  Traffic from link in the email message text, filtered in Wireshark (full infection).

 

ASSOCIATED DOMAINS:

• 65.181.127[.]152 port 80 - 5w9u7np1.i7o8e15brw3eed5jabzl9hu3zuxx1o8l[.]top - GET /3LSVdZ.php?3LSVdZ=5W9u7NP1MICK - link from email
• 65.181.127[.]152 port 80 - view.4tqgbgond2m7tbeo73jlvcd0vfkao7qm[.]pw - GET /16062017329800998812303133716062017.pdf - link from PDF attchment

• bit[.]ly - GET /2rxQGdd   [HTTPS] - redirects to gfonseca.sslblindado.com URL
• gfonseca.sslblindado[.]com - GET /mx/controls/sender/   [HTTPS] - returns VBS file

• 65.181.122[.]158 port 80 - 65.181.122[.]158 - GET /goodidea53/x
• 65.181.122[.]158 port 80 - 65.181.122[.]158 - GET /goodidea53/aw7.tiff
• 65.181.112[.]252 port 80 - www.petr4[.]in - GET /avs/index.php?[string of characters]
• 65.181.122[.]158 port 80 - 65.181.122[.]158 - GET /goodidea53/W7.zip
• 65.181.122[.]158 port 80 - 65.181.122[.]158 - GET /goodidea53/dll.dll
• 65.181.122[.]158 port 80 - 65.181.122[.]158 - GET /goodidea53/dll.dll.exe
• 65.181.112[.]252 port 80 - www.petr4[.]in - GET /avs/logs/index.php?[string of characters]
• 65.181.112[.]252 port 80 - www.petr4[.]in - GET /boaideia/index.php?[string of characters]
• 54.232.207[.]222 port 443 - ssl.suzukiburgman[.]top - unencrypted IRC traffic
• 158.69.99[.]214 port 80 - log.suzukiburgman[.]top - POST /mestre/admin/x.php
• 158.69.99[.]214 port 80 - log.suzukiburgman[.]top - POST /mestre/campaign/index.php?ACAO=PUSH

• imestre.suzukiburgman[.]top - Response 65.181.112[.]252 - no follow-up TCP traffic using this domain name
• 169.57.146[.]90 port 7094 - Attempted TCP connections but no response from the server

 

MALWARE

PDF ATTACHMENT:

• SHA256 hash:  4339c20a1a68871f7927fdc4628675da08018a8c6d9f57a02c56410aeb593d91
  File size:  46n862 bytes
  File name:  16062017329800998812303133716062017.pdf

DOWNLOADED VBS FILE:

• SHA256 hash:  2c96b9df6c0a4974f021ac5d8a4ffc9a5224220eaf9aa8d98cdb1d8eb60ad777
  File size:  2,724 bytes
  File name:  1606201732980099881230313371606201722085.vbs

 

IMAGES

Shown above:  Unecrypted IRC traffic noted on ssl.suzukiburgman[.]top (54.232.207[.]222 port 443).

 

Shown above:  Attempted TCP connections on 169.57.146[.]90 port 7094, but no response from the server.

 

Click here to return to the main page.