2017-12-26 - NECURS BOTNET MALSPAM PUSHES GLOBEIMPOSTER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-12-26-Necurs-Botnet-malspam-tracker.csv.zip   0.9 kB (903 bytes)
• 017-12-26-Necurs-Botnet-malspam-pushes-GlobeImposter-ransomware-traffic.pcap.zip   169.0 kB (168,989 bytes)
• 2017-12-26-Necurs-Botnet-malspam-and-GlobeImposter-ransomware.zip   250.9 kB (250,941 bytes)

 

Shown above:  You could say this almost every day.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• hxxp[:]//www.caynannews[.]com/mnbTREkfDS?
• hxxp[:]//www.pspmagic[.]ru/mnbTREkfDS?
• hxxp[:]//www.simpleaftercare[.]co[.]uk/mnbTREkfDS?
• hxxp[:]//www.software24x7[.]us/mnbTREkfDS?
• hxxp[:]//www.ta-pu[.]ir/mnbTREkfDS?
• hxxp[:]//www.thedournalist[.]com/mnbTREkfDS?
• hxxp[:]//www.trafik-site[.]ru/mnbTREkfDS?
• hxxp[:]//www.zhaksylyk[.]kz/mnbTREkfDS?
• psoeiras[.]net
• topyzscsu5poprxy[.]onion[.]link

 

IMAGES

Shown above:  Screenshot from today's spreadsheet tracker.

 

Shown above:  Example from one of the emails.

 

Shown above:  One of the attached 7-zip archives and extracted JavaScript (JS) file.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Examples of encrypted files on an infected Windows host.

 

Shown above:  Decryption instructions from the HTML file dropped on the infected Windows host.

 

Shown above:  GlobeImposter decryptor domain was unavailable when I checked today.

 

Shown above:  Artifact found in the user's AppData\Local\Temp directory.

 

INDICATORS

EMAIL DATA FROM 6 EXAMPLES:

• Date/Time:  Tuesday 2017-12-26 as early as 15:51 UTC through at least 16:49 UTC

• Received: from 223.223.129[.]41 ([223.223.129[.]41])
• Received: from static.vnpt[.]vn ([113.176.130[.]230])
• Received: from 88.230.76[.]115.dynamic.ttnet[.]com[.]tr ([88.230.76[.]115])
• Received: from static.vnpt[.]vn ([14.237.154[.]250])
• Received: from 202.134.178[.]178.customer.7starnet[.]com ([202.134.178[.]178])
• Received: from 106.206.62[.]48 by ([106.206.62[.]48])

• From: Lorene <Lorene@consumeradvantageonline[.]com>
• From: Darius <Darius@2009.ketl[.]com>
• From: Angelo <Angelo@desfort[.]com>
• From: Charlene <Charlene@martinsafetysolutions[.]com>
• From: Michelle <Michelle@ladomiciliu[.]ro>
• From: Bertie <Bertie@ihorserealty[.]com>

• Subject: CCE26122017_007495
• Subject: CCE26122017_000092
• Subject: CCE26122017_007684
• Subject: CCE26122017_004418
• Subject: CCE26122017_006163
• Subject: CCE26122017_000341

 

SHA256 HASHES FOR THE ATTACHMENTS

• 1de792017e8b8a6c8d2cdd5bdd34f4f2075f0cee3db416802ca167ec2f617a79 - CCE26122017_000092.7z
• 3ab43239c3f3ad5717d5aed74d8f24f6a55bc59d83ba32f56460cc73d13c56d5 - CCE26122017_000341.7z
• 26859dd30e21f924a34839648bb4d40593ab9758d3ea87622f80381114a4d984 - CCE26122017_004418.7z
• 7a2217c6d37666a48a0621373682ef22c3bc22abc4651a188da26c4650e8d6ab - CCE26122017_006163.7z
• 44715845abf639e9c3300b7657b4389152c58fd2801d47b7a775caefad112cb5 - CCE26122017_007495.7z
• 7a9d6bb001b6384ee1c7dd1970fab9930ae474bccca0c49bba0857a206ee2558 - CCE26122017_007684.7z

 

SHA256 HASHES FOR THE EXTRACTED JS FILES:

• 64293d7e96b527acb1c7f55ba3c0895d2e787e46284dc0c55beade8e1549b981 - CCE26122017_20422.js
• e9378336cf81b38bf456a7f1f74580781d6cf423cbad43eb516a8b6707ff2e4c - CCE26122017_43632.js
• 423deee9a411a19b7ddf0a0841f44b5372fb1c6ba4040f15498520b56c499cab - CCE26122017_51796.js
• e6c943b588644e73defdeafb9f17dd827fff613eedd07d6447b99fff7d2bbf56 - CCE26122017_53504.js
• dca4944854fd896cbea5f136e84826029d102c6ae002ab67f2c220229c5eaedb - CCE26122017_64340.js
• 7b69c74eda1b32bc5443333651124dca538d377076f5301a04d26ce4445be240 - CCE26122017_64858.js

 

PARTIAL URLS FROM THE JAVASCRIPT FILES TO RETRIEVE GLOBEIMPOSTER RANSOMWARE:

• www.caynannews[.]com - GET /mnbTREkfDS?
• www.pspmagic[.]ru - GET /mnbTREkfDS?
• www.simpleaftercare[.]co[.]uk - GET /mnbTREkfDS?
• www.software24x7[.]us - GET /mnbTREkfDS?
• www.ta-pu[.]ir - GET /mnbTREkfDS?
• www.thedournalist[.]com - GET /mnbTREkfDS?
• www.trafik-site[.]ru - GET /mnbTREkfDS?
• www.zhaksylyk[.]kz - GET /mnbTREkfDS?

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 185.98.7[.]180 port 80 - www.zhaksylyk[.]kz - GET /mnbTREkfDS??huVyja=huVyja   [JS file grabbing GlobeImposter]
• 74.220.219[.]67 port 80 - psoeiras[.]net - GET /js/count.php?nu=105&fb=110
• 103.198.0[.]2 port 443 - topyzscsu5poprxy[.]onion[.]link - GET /shfgealjh.php   [HTTPS traffic for GlobeImposter decryptor]

 

GLOBEIMPOSTER RANSOMWARE EXAMPLE:

• SHA256 hash: 3a9d5976fbf41daf80f0eb9e6b7aadcece52a82fe9609984ef7f8ea166048547
• File size: 239,104 bytes

 

OTHER INFORMATION:

• Extensions for all encrypted files:  ..doc

 

Click here to return to the main page.