2017-06-29 - KOVTER MALSPAM - UPS DELIVERY THEME
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-06-29-Kovter-malspam-traffic.pcap.zip 7.6 MB (7,633,996 bytes)
- 2017-06-28-UPS-themed-Kovter-malspam-traffic.pcap (8,271,730 bytes)
- 2017-06-29-UPS-themed-Kovter-malspam-traffic.pcap (4,082,112 bytes)
- Zip archive of the emails and malware: 2017-06-29-Kovter-malspam-and-artifacts.zip 705 kB (705,282 bytes)
- 2017-06-28-UPS-malspam-0038-UTC.eml (3,852 bytes)
- 2017-06-28-UPS-malspam-2221-UTC.eml (3,497 bytes)
- 2017-06-28-Kovter-sample.exe (503,434 bytes)
- 2017-06-29-Kovter-sample.exe (476,867 bytes)
- UPS-Delivery-5874287.doc.js (1,681 bytes)
- UPS-Delivery-5874287.zip (1,448 bytes)
- UPS-Parcel-ID-8772984.doc.js (1,671 bytes)
- UPS-Parcel-ID-8772984.zip (1,450 bytes)
RELATED BLOG POSTS:
- My Online Security - blog post early today on 2017-06-29: return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload (link)
EMAILS
Shown above: Screenshot from an emails (1 of 2).
Shown above: Screenshot from an emails (2 of 2).
EMAIL HEADERS:
- Date: Wednesday 2017-06-28 as 00:38 UTC
- From: bappidgreat@server003.webhosting24x7.net
- Subject: Delivery Notification, ID 5874287
- Attachment: UPS-Delivery-5874287.zip
- Date: Wednesday 2017-06-28 as 22:21 UTC
- From: maligin@bitrix272.timeweb.ru
- Subject: Problems with item delivery, n.8772984
- Attachment: UPS-Parcel-ID-8772984.zip
Shown above: Example of an extracted .js file from the attached zip archives.
TRAFFIC
Shown above: Traffic from the infection on 2017-06-28 filtered in Wireshark.
Shown above: Traffic from the infection on 2017-06-29 filtered in Wireshark.
PARTIAL URLS RECOVERED FROM THE .JS FILES:
- amis-spb.ru - GET /counter [followed by long string of characters]
- artdecorfashion.com - GET /counter [followed by long string of characters]
- desinano.com.ar - GET /counter [followed by long string of characters]
- elita5.md - GET /counter [followed by long string of characters]
- goldwingclub.ru - GET /counter [followed by long string of characters]
- modx.mbalet.ru - GET /counter [followed by long string of characters]
- natiwa.com - GET /counter [followed by long string of characters]
- perdasbasalti.it - GET /counter [followed by long string of characters]
- resedaplumbing.com - GET /counter [followed by long string of characters]
POST-INFECTION TRAFFIC:
- Various IP addresses and over TCP ports 80, 443, and 8080.
Shown above: Post-infeciton traffic is similar to what we've seen before with Kovter.
FILE HASHES
SHA256 HASHES FOR THE ASSOCIATED MALWARE:
- f24ea3eaf788302a4af13a63cd44624edabb86d2c8b96482b0c7422fb982bb2d - UPS-Delivery-5874287.zip [email attachment]
- 708dbe2ac4d71502e59984aba525ae7cf2401308b9017c347d734a8e9fcc95ec - UPS-Delivery-5874287.doc.js [extracted .js file]
- 45489e63844a6ac3e72f2a4ba1799d99558908b3c9eea398c81a98c93af94f43 - 2017-06-28-Kovter-sample.exe [follow-up malware]
- 28f36adc74fd31724c24702223073efea14f9759f43b99a395df933cfe4fe9da - UPS-Parcel-ID-8772984.zip [email attachment]
- 76bbeb10f02697952612a83b991570070b7c1598abef3383b7f2182b9072e0da - UPS-Parcel-ID-8772984.doc.js [extracted .js file]
- 26b1f1df386879044711fd6aeba55d6de8590409cd47d09f2b06211199bf00f2 - 2017-06-29-Kovter-sample.exe [follow-up malware]
IMAGES
Shown above: An example of post-infection artifacts noted on the infected hosts.
Shown above: Other artifacts consistent with a Kovter infection.
Shown above: As with other Kovter infections, the associated Windows registry key cannot be viewed.
FINAL NOTES
Shown above: An error I got each time shortly after the infection.
Once again, here are the associated files:
- Zip archive of the pcap: 2017-06-29-Kovter-malspam-traffic.pcap.zip 7.6 MB (7,633,996 bytes)
- Zip archive of the emails and malware: 2017-06-29-Kovter-malspam-and-artifacts.zip 705 kB (705,282 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.