2017-08-28 - INFOSTEALER INFECTION FROM BRAZIL MALSPAM

ASSOCIATED FILES:

• 2017-08-28-infostealer-infection-traffic.pcap.zip   3.2 MB (3,186,114 bytes)

• 2017-08-28-infostealer-infection-traffic.pcap   (3,645,873 bytes)

• 2017-08-28-Brazil-email-and-malware-files.zip   94.0 kB (93,961 bytes)

• 1508201700016067882247230289631.pdf   (49,198 bytes)
• 2017-08-28-Boleto-malspam-0629-UTC.eml   (68,408 bytes)
• 2017-08-28-sched-task-for-persistence.txt   (3,376 bytes)
• 2308201700026174031337009631980.vbs   (4,912 bytes)

NOTES:

• As noted in previous posts about malspam from this actor (2017-06-16 and 2017-07-21), since mid-June 2017 there's been a PDF attachment included with these emails.
• Like last time, the PDF attachment has a different link than the email, but they both redirected to the same sendspace[.]com URL to send the same VBS malware.
• I forgot to get copies for all of the artifacts from the infected host before I wiped it.

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Sending mail server:  grupofreitas[.]ltda
• From:  Boleto [recipient's name] <sender@grupofreitas[.]ltda>
• Subject:  Envio de Boleto - URGENTE - GRUPO FREITAS
• Date:  Monday, 2017-08-28 06:29 UTC
• Attachment name:  1508201700016067882247230289631.pdf
• Link from the message:  VQ7jtrz3.lch8gmmpxpn7dficzttxmpkmngmmgqdr[.]xyz/c4Wzab.php?c4Wzab=VQ7jtrz3[recipient's name]

 

Shown above:  Link seen in the PDF attachment.

 

TRAFFIC

Shown above:  Traffic from this infection filtered in Wireshark.

 

TRAFFIC SEEN USING LINK FROM THE EMAIL:

• 65.181.127[.]152 port 80 - vq7jtrz3.lch8gmmpxpn7dficzttxmpkmngmmgqdr[.]xyz - GET /c4Wzab.php?c4Wzab=VQ7jtrz3[recipient's name]
• www.sendspace[.]com - GET /pro/dl/6ma73i
• fs12n1.sendspace[.]com - domain that returned the VBS file

TRAFFIC SEEN USING LINK FROM THE ATTACHED PDF FILE:

• 65.181.127[.]152 port 80 - error.lyqadqnm9hy0cveoydhuhv9gq7cmisbm[.]xyz - GET /1508201700016067882247230289631.pdf
• www.sendspace[.]com - GET /pro/dl/6ma73i
• fs12n1.sendspace[.]com - domain that returned the VBS file

ASSOCIATED DOMAINS AND POST-INFECTION TRAFFIC:

• 65.181.113[.]151 port 80 - 65.181.113[.]151 - GET /sshd/x
• 65.181.113[.]151 port 80 - 65.181.113[.]151 - GET /sshd/aw7.tiff
• 65.181.113[.]151 port 80 - 65.181.113[.]151 - GET /sshd/W7.zip
• 65.181.113[.]151 port 80 - 65.181.113[.]151 - GET /sshd/dll.dll
• 65.181.113[.]151 port 80 - 65.181.113[.]151 - GET /sshd/dll.dll.exe
• 178.159.36[.]82 port 80 - www.petr4[.]in - GET /avs/index.php?[long string of characters]
• 178.159.36[.]82 port 80 - www.petr4[.]in - GET /avs/logs/index.php?[long string of characters]
• 178.159.36[.]82 port 80 - www.petr4[.]in - GET /lol/index.php?[long string of characters]
• 54.232.207[.]222 port 443 - ssl.suzukiburgman[.]top - IRC traffic using clear text (not encrypted)

 

FILE HASHES

PDF ATTACHMENT:

• SHA256 hash:  bd194a81bfed3d57744183dd700e9e4a68f7b05b0f4c94a4eacac5ef6f9c3e49
  File size:  49,198 bytes
  File name:  1508201700016067882247230289631.pdf

DOWNLOADED VBS FILE:

• SHA256 hash:  a6fe97fbe7582a88a53a6fd102e6b0bf9e5673ba22609b81c5bb0d3c80fda148
  File size:  4,912 bytes
  File name:  2308201700026174031337009631980.vbs

 

IMAGES

Shown above:  Some of the unencrypted IRC traffic noted over TCP port 443.

 

Click here to return to the main page.