2017-12-26 - NECURS BOTNET MALSPAM PUSHES GLOBEIMPOSTER RANSOMWARE

ASSOCIATED FILES:

• 2017-12-26-Necurs-Botnet-malspam-tracker.csv.zip   0.9 kB (903 bytes)
• 2017-12-26-Necurs-Botnet-malspam-traffic.pcap.zip   169 kB (168,925 bytes)
• 2017-12-26-Necurs-Botnet-malspam-and-artifacts.zip   247 kB (246,597 bytes)

 

Shown above:  You could say this almost every day.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• hxxp://www.caynannews.com/mnbTREkfDS?
• hxxp://www.pspmagic.ru/mnbTREkfDS?
• hxxp://www.simpleaftercare.co.uk/mnbTREkfDS?
• hxxp://www.software24x7.us/mnbTREkfDS?
• hxxp://www.ta-pu.ir/mnbTREkfDS?
• hxxp://www.thedournalist.com/mnbTREkfDS?
• hxxp://www.trafik-site.ru/mnbTREkfDS?
• hxxp://www.zhaksylyk.kz/mnbTREkfDS?
• psoeiras.net
• topyzscsu5poprxy.onion.link

 

IMAGES

Shown above:  Screenshot from today's spreadsheet tracker.

 

Shown above:  Example from one of the emails.

 

Shown above:  One of the attached 7-zip archives and extracted JavaScript (JS) file.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Examples of encrypted files on an infected Windows host.

 

Shown above:  Decryption instructions from the HTML file dropped on the infected Windows host.

 

Shown above:  GlobeImposter decryptor domain was unavailable when I checked today.

 

Shown above:  Artifact found in the user's AppData\Local\Temp directory.

 

INDICATORS

EMAIL DATA FROM 6 EXAMPLES:

• Date/Time:  Tuesday 2017-12-26 as early as 15:51 UTC through at least 16:49 UTC

• Received: from 223.223.129.41 ([223.223.129.41])
• Received: from static.vnpt.vn ([113.176.130.230])
• Received: from 88.230.76.115.dynamic.ttnet.com.tr ([88.230.76.115])
• Received: from static.vnpt.vn ([14.237.154.250])
• Received: from 202.134.178.178.customer.7starnet.com ([202.134.178.178])
• Received: from 106.206.62.48 by ([106.206.62.48])

• From: Lorene <Lorene@consumeradvantageonline.com>
• From: Darius <Darius@2009.ketl.com>
• From: Angelo <Angelo@desfort.com>
• From: Charlene <Charlene@martinsafetysolutions.com>
• From: Michelle <Michelle@ladomiciliu.ro>
• From: Bertie <Bertie@ihorserealty.com>

• Subject: CCE26122017_007495
• Subject: CCE26122017_000092
• Subject: CCE26122017_007684
• Subject: CCE26122017_004418
• Subject: CCE26122017_006163
• Subject: CCE26122017_000341

 

SHA256 HASHES FOR THE ATTACHMENTS

• 1de792017e8b8a6c8d2cdd5bdd34f4f2075f0cee3db416802ca167ec2f617a79 - CCE26122017_000092.7z
• 3ab43239c3f3ad5717d5aed74d8f24f6a55bc59d83ba32f56460cc73d13c56d5 - CCE26122017_000341.7z
• 26859dd30e21f924a34839648bb4d40593ab9758d3ea87622f80381114a4d984 - CCE26122017_004418.7z
• 7a2217c6d37666a48a0621373682ef22c3bc22abc4651a188da26c4650e8d6ab - CCE26122017_006163.7z
• 44715845abf639e9c3300b7657b4389152c58fd2801d47b7a775caefad112cb5 - CCE26122017_007495.7z
• 7a9d6bb001b6384ee1c7dd1970fab9930ae474bccca0c49bba0857a206ee2558 - CCE26122017_007684.7z

 

SHA256 HASHES FOR THE EXTRACTED JS FILES:

• 64293d7e96b527acb1c7f55ba3c0895d2e787e46284dc0c55beade8e1549b981 - CCE26122017_20422.js
• e9378336cf81b38bf456a7f1f74580781d6cf423cbad43eb516a8b6707ff2e4c - CCE26122017_43632.js
• 423deee9a411a19b7ddf0a0841f44b5372fb1c6ba4040f15498520b56c499cab - CCE26122017_51796.js
• e6c943b588644e73defdeafb9f17dd827fff613eedd07d6447b99fff7d2bbf56 - CCE26122017_53504.js
• dca4944854fd896cbea5f136e84826029d102c6ae002ab67f2c220229c5eaedb - CCE26122017_64340.js
• 7b69c74eda1b32bc5443333651124dca538d377076f5301a04d26ce4445be240 - CCE26122017_64858.js

 

PARTIAL URLS FROM THE JAVASCRIPT FILES TO RETRIEVE GLOBEIMPOSTER RANSOMWARE:

• www.caynannews.com - GET /mnbTREkfDS?
• www.pspmagic.ru - GET /mnbTREkfDS?
• www.simpleaftercare.co.uk - GET /mnbTREkfDS?
• www.software24x7.us - GET /mnbTREkfDS?
• www.ta-pu.ir - GET /mnbTREkfDS?
• www.thedournalist.com - GET /mnbTREkfDS?
• www.trafik-site.ru - GET /mnbTREkfDS?
• www.zhaksylyk.kz - GET /mnbTREkfDS?

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 185.98.7.180 port 80 - www.zhaksylyk.kz - GET /mnbTREkfDS??huVyja=huVyja   [JS file grabbing GlobeImposter]
• 74.220.219.67 port 80 - psoeiras.net - GET /js/count.php?nu=105&fb=110
• 103.198.0.2 port 443 - topyzscsu5poprxy.onion.link - GET /shfgealjh.php   [HTTPS traffic for GlobeImposter decryptor]

 

GLOBEIMPOSTER RANSOMWARE EXAMPLE:

• SHA256 hash: 3a9d5976fbf41daf80f0eb9e6b7aadcece52a82fe9609984ef7f8ea166048547
• File size: 239,104 bytes

 

OTHER INFORMATION:

• Extensions for all encrypted files:  ..doc

 

FINAL NOTES

Once again, here are the associated files:

• 2017-12-26-Necurs-Botnet-malspam-tracker.csv.zip   0.9 kB (903 bytes)
• 2017-12-26-Necurs-Botnet-malspam-traffic.pcap.zip   169 kB (168,925 bytes)
• 2017-12-26-Necurs-Botnet-malspam-and-artifacts.zip   247 kB (246,597 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.