2017-12-26 - NECURS BOTNET MALSPAM PUSHES GLOBEIMPOSTER RANSOMWARE
ASSOCIATED FILES:
- 2017-12-26-Necurs-Botnet-malspam-tracker.csv.zip 0.9 kB (903 bytes)
- 2017-12-26-Necurs-Botnet-malspam-traffic.pcap.zip 169 kB (168,925 bytes)
- 2017-12-26-Necurs-Botnet-malspam-and-artifacts.zip 247 kB (246,597 bytes)
Shown above: You could say this almost every day.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- hxxp://www.caynannews.com/mnbTREkfDS?
- hxxp://www.pspmagic.ru/mnbTREkfDS?
- hxxp://www.simpleaftercare.co.uk/mnbTREkfDS?
- hxxp://www.software24x7.us/mnbTREkfDS?
- hxxp://www.ta-pu.ir/mnbTREkfDS?
- hxxp://www.thedournalist.com/mnbTREkfDS?
- hxxp://www.trafik-site.ru/mnbTREkfDS?
- hxxp://www.zhaksylyk.kz/mnbTREkfDS?
- psoeiras.net
- topyzscsu5poprxy.onion.link
IMAGES
Shown above: Screenshot from today's spreadsheet tracker.
Shown above: Example from one of the emails.
Shown above: One of the attached 7-zip archives and extracted JavaScript (JS) file.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Examples of encrypted files on an infected Windows host.
Shown above: Decryption instructions from the HTML file dropped on the infected Windows host.
Shown above: GlobeImposter decryptor domain was unavailable when I checked today.
Shown above: Artifact found in the user's AppData\Local\Temp directory.
INDICATORS
EMAIL DATA FROM 6 EXAMPLES:
- Date/Time: Tuesday 2017-12-26 as early as 15:51 UTC through at least 16:49 UTC
- Received: from 223.223.129.41 ([223.223.129.41])
- Received: from static.vnpt.vn ([113.176.130.230])
- Received: from 88.230.76.115.dynamic.ttnet.com.tr ([88.230.76.115])
- Received: from static.vnpt.vn ([14.237.154.250])
- Received: from 202.134.178.178.customer.7starnet.com ([202.134.178.178])
- Received: from 106.206.62.48 by ([106.206.62.48])
- From: Lorene <Lorene@consumeradvantageonline.com>
- From: Darius <Darius@2009.ketl.com>
- From: Angelo <Angelo@desfort.com>
- From: Charlene <Charlene@martinsafetysolutions.com>
- From: Michelle <Michelle@ladomiciliu.ro>
- From: Bertie <Bertie@ihorserealty.com>
- Subject: CCE26122017_007495
- Subject: CCE26122017_000092
- Subject: CCE26122017_007684
- Subject: CCE26122017_004418
- Subject: CCE26122017_006163
- Subject: CCE26122017_000341
SHA256 HASHES FOR THE ATTACHMENTS
- 1de792017e8b8a6c8d2cdd5bdd34f4f2075f0cee3db416802ca167ec2f617a79 - CCE26122017_000092.7z
- 3ab43239c3f3ad5717d5aed74d8f24f6a55bc59d83ba32f56460cc73d13c56d5 - CCE26122017_000341.7z
- 26859dd30e21f924a34839648bb4d40593ab9758d3ea87622f80381114a4d984 - CCE26122017_004418.7z
- 7a2217c6d37666a48a0621373682ef22c3bc22abc4651a188da26c4650e8d6ab - CCE26122017_006163.7z
- 44715845abf639e9c3300b7657b4389152c58fd2801d47b7a775caefad112cb5 - CCE26122017_007495.7z
- 7a9d6bb001b6384ee1c7dd1970fab9930ae474bccca0c49bba0857a206ee2558 - CCE26122017_007684.7z
SHA256 HASHES FOR THE EXTRACTED JS FILES:
- 64293d7e96b527acb1c7f55ba3c0895d2e787e46284dc0c55beade8e1549b981 - CCE26122017_20422.js
- e9378336cf81b38bf456a7f1f74580781d6cf423cbad43eb516a8b6707ff2e4c - CCE26122017_43632.js
- 423deee9a411a19b7ddf0a0841f44b5372fb1c6ba4040f15498520b56c499cab - CCE26122017_51796.js
- e6c943b588644e73defdeafb9f17dd827fff613eedd07d6447b99fff7d2bbf56 - CCE26122017_53504.js
- dca4944854fd896cbea5f136e84826029d102c6ae002ab67f2c220229c5eaedb - CCE26122017_64340.js
- 7b69c74eda1b32bc5443333651124dca538d377076f5301a04d26ce4445be240 - CCE26122017_64858.js
PARTIAL URLS FROM THE JAVASCRIPT FILES TO RETRIEVE GLOBEIMPOSTER RANSOMWARE:
- www.caynannews.com - GET /mnbTREkfDS?
- www.pspmagic.ru - GET /mnbTREkfDS?
- www.simpleaftercare.co.uk - GET /mnbTREkfDS?
- www.software24x7.us - GET /mnbTREkfDS?
- www.ta-pu.ir - GET /mnbTREkfDS?
- www.thedournalist.com - GET /mnbTREkfDS?
- www.trafik-site.ru - GET /mnbTREkfDS?
- www.zhaksylyk.kz - GET /mnbTREkfDS?
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 185.98.7.180 port 80 - www.zhaksylyk.kz - GET /mnbTREkfDS??huVyja=huVyja [JS file grabbing GlobeImposter]
- 74.220.219.67 port 80 - psoeiras.net - GET /js/count.php?nu=105&fb=110
- 103.198.0.2 port 443 - topyzscsu5poprxy.onion.link - GET /shfgealjh.php [HTTPS traffic for GlobeImposter decryptor]
GLOBEIMPOSTER RANSOMWARE EXAMPLE:
- SHA256 hash: 3a9d5976fbf41daf80f0eb9e6b7aadcece52a82fe9609984ef7f8ea166048547
- File size: 239,104 bytes
OTHER INFORMATION:
- Extensions for all encrypted files:  ..doc
FINAL NOTES
Once again, here are the associated files:
- 2017-12-26-Necurs-Botnet-malspam-tracker.csv.zip 0.9 kB (903 bytes)
- 2017-12-26-Necurs-Botnet-malspam-traffic.pcap.zip 169 kB (168,925 bytes)
- 2017-12-26-Necurs-Botnet-malspam-and-artifacts.zip 247 kB (246,597 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.