2017-09-15 - AMATEUR HOUR: MORE FAKE MICROSOFT UPDATE MALSPAM WITH .EXE ATTACHMENTS

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-09-15-fake-Microsoft-update-traffic.pcap.zip   10.8 kB (10,757 bytes)

• 2017-09-15-fake-Microsoft-update-traffic.pcap   (36,370 bytes)

• Zip archive of the spreadsheet racker:  2017-09-15-fake-Microsoft-update-tracker.csv.zip   1.1 kB (1,107 bytes)

• 2017-09-15-fake-Microsoft-update-tracker.csv   (3,729 bytes)

• Zip archive of an email example and the associated malware:  2017-09-15-fake-Microsoft-update-email-example-and-malware.zip   44.9 kB (44,931 bytes)

• 2017-09-15-fake-Microsoft-update-malspam-example.eml   (38,278 bytes)
• 2017-09-15-poorly-written-file-downloader.exe   (27,648 bytes)
• 2017-09-15-poorly-written-follow-up-malware-bitcoin-wallet-stealer.exe   (36,864 bytes)

NOTES:

• Same issues as seen in my post about this malspam from yesterday (link).
• For example, I had to run today's EXE attachment as an administrator for it to work.
• Follow-up malware is the same bitcoin wallet stealer, slightly adjusted, but with the same problems as before (needs MSWINSCK.OCX, will crash if no Bitcoin wallet is present).
• For the vast majority of people, this malware won't work if someone somehow gets one of these emails and double-clicks the attachment.
• This whole campaign just feels so amateur and inexperienced.

Shown above:  How some people think, apparently.

 

EMAILS

Shown above:  Screenshot from the spreadsheet tracker.

 

Shown above:  Screenshot from an email on 2017-09-15.

 

EMAILS NOTED:

Read:  Date/time -- Sending IP address -- Sending email address (spoofed) -- Subject line -- attachment name

• 2017-09-14 12:18 UTC   --   190.141.70.7   --   clandon@pac.bluecross.ca   --   Install The Microsoft Update before its too late!   --   z5wz1.exe
• 2017-09-14 13:14 UTC   --   190.109.167.106   --   cking1989@gamail.com   --   Install The Microsoft Update before its too late!   --   8knqzj3.exe
• 2017-09-14 13:18 UTC   --   190.117.86.192   --   clebsondonald@hitmail.com   --   Install The Microsoft Update before its too late!   --   st5javq7.exe
• 2017-09-14 14:29 UTC   --   190.107.22.27   --   ckr02-co@ezweb.ne.jp   --   Install The Microsoft Update before its too late!   --   vl2rdb21.exe
• 2017-09-14 14:31 UTC   --   190.238.71.65   --   claudia.ortner@gpo.at   --   Install The Microsoft Update before its too late!   --   tdz2arv.exe
• 2017-09-14 15:30 UTC   --   190.130.0.131   --   clandon@pac.bluecross.ca   --   Install The Microsoft Update before its too late!   --   la20vp.exe
• 2017-09-14 15:50 UTC   --   190.67.121.130   --   claudio22@hoail.com   --   Install The Microsoft Update before its too late!   --   sc15611.exe
• 2017-09-14 16:41 UTC   --   190.216.224.66   --   cko9o45923844@ezweb.ne.jp   --   Install The Microsoft Update before its too late!   --   l55ffs.exe
• 2017-09-14 16:42 UTC   --   190.121.193.206   --   claudio.serventi@rolli.it   --   Install The Microsoft Update before its too late!   --   6invcj2t.exe
• 2017-09-14 16:44 UTC   --   190.130.0.143   --   clacloteco@throam.com   --   Install The Microsoft Update before its too late!   --   65o5442i.exe
• 2017-09-14 16:56 UTC   --   190.236.63.120   --   clacrukodr@throam.com   --   Install The Microsoft Update before its too late!   --   4lx37.exe
• 2017-09-15 12:30 UTC   --   190.184.205.78   --   clarence.turer@kp.org   --   Install The Microsoft Update before its too late!   --   lo7nt7s.exe
• 2017-09-15 12:38 UTC   --   190.184.205.78   --   claudia.mx.nl@outloox.com   --   Install The Microsoft Update before its too late!   --   05rln92.exe
• 2017-09-15 12:47 UTC   --   190.109.185.113   --   ckc1029@chukei.com.tw   --   Install The Microsoft Update before its too late!   --   ibas0.exe
• 2017-09-15 13:04 UTC   --   190.115.2.118   --   claire.smaller@nhs.net   --   Install The Microsoft Update before its too late!   --   qc9wy.exe
• 2017-09-15 15:46 UTC   --   190.232.206.7   --   clairtonrezende10@hotmal.com.br   --   Install The Microsoft Update before its too late!   --   5ch3cx3n.exe
• 2017-09-15 19:36 UTC   --   190.130.0.139   --   claudiosette@excite.it   --   Install The Microsoft Update before its too late!   --   knqdpc3h.exe
• 2017-09-15 19:43 UTC   --   190.130.0.131   --   clark.smith@awc-inc.com   --   Install The Microsoft Update before its too late!   --   03jzhz3.exe
• 2017-09-15 19:46 UTC   --   190.0.12.58   --   claro@ownit.nu   --   Install The Microsoft Update before its too late!   --   o3y1xf2j.exe

 

TRAFFIC

Shown above:  Attachment from the email has to be run as an administrator, then it will act as a file downloader.

 

Shown above:  Follow-up malware needs MSWINSCK.OCX and a bitcoin wallet at a specific location on the infected host.

 

ASSOCIATED URLS:

• 80.208.230.159 port 80 - 80.208.230.159 - GET /loader.exe
• 80.208.230.159 port 80 - 80.208.230.159 - POST /google/google.php?

 

ASSOCIATED MALWARE

ATTACHED EXE FILE:

• SHA256 hash:  824351601841da66af1164881b39c7b4d245743aa5b0c77d9e975d1967ee4c30
  File size:  27,648 bytes
  File description:  poorly-written file downloader

FOLLOW-UP MALWARE:

• SHA256 hash:  80a3f8b6d58846fdc4c0f08da7eef418e895c57f4f2b524d3bf806c2d4353779
  File size:  36,864 bytes
  File description:  poorly-written Bitcoin wallet stealer

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  2017-09-15-fake-Microsoft-update-traffic.pcap.zip   10.8 kB (10,757 bytes)
• Zip archive of the spreadsheet racker:  2017-09-15-fake-Microsoft-update-tracker.csv.zip   1.1 kB (1,107 bytes)
• Zip archive of an email example and the associated malware:  2017-09-15-fake-Microsoft-update-email-example-and-malware.zip   44.9 kB (44,931 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.