2018-01-02 - WHATSAPP-THEMED MALSPAM TAGETING BRAZIL (AGAIN)

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-01-02-whatsapp-malspam-traffic.pcap.zip   14.4 MB (14,366,863 bytes)

• 2018-01-02-whatsapp-malspam-traffic.pcap   (15,560,361 bytes)

• Saz archive of the Fiddler capture:  2018-01-02-whatsapp-malspam-traffic.saz   12.8 MB (12,838,469 bytes)

• 2018-01-02-whatsapp-malspam-traffic.pcap   (15,560,361 bytes)

• Zip archive of the email:  2018-01-02-whatsapp-malspam-1443-UTC.eml.zip   1.5 kB (1,502 bytes)

• 2018-01-02-whatsapp-malspam-1443-UTC.eml   (3,581 bytes)

• Zip archive of the malware and artifacts:  2018-01-02-whatsapp-malware-and-artifacts.zip   24.7 MB (24,740,570 bytes)

• 124412.dat   (6,499,839 bytes)
• 125412.dat   (5,440,967 bytes)
• DISNEY0201.exe   (201,679,672 bytes)
• DISNEY020118.exe   (202,065,232 bytes)
• usernameHOSTNAME-PC0.txt   (3,364 bytes)
• usernameHOSTNAME-PC1.txt   (3,360 bytes)
• vIDEO.Nat.25.12.2017.exe   (3,490,816 bytes)

NOTES:

• I documented similar malspam last year on 2017-10-03 and 2017-10-11.
• The end results appears to be the same type of Banload-style information stealer/banking malware we've seen before from this type of malspam.
• The only alerts of note on the network traffic were alerts for a Lets Encrypt SSL certificate used by whatsapp.visualizar.cf, a server established to help distribute the malware.

Shown above:  Flowchart for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• hxxps://storage.googleapis.com/webmessenger/Visualizar.html
• whatsapp.visualizar.cf
• hxxps://storage.googleapis.com/videoswhatsap/vIDEO.Nat.25.12.2017.exe
• hxxp://177.11.55.92/upload.php?id=PRO
• hxxp://177.11.55.92/upload.php?id=LXO
• hxxp://177.11.55.92/index1.php

 

EMAIL

Shown above:  Screenshot of the email.

 

HEADER INFORMATION:

• Date:  Tuesday, 2018-01-01 at 14:44 UTC
• Received:  from fh5 ([89.40.119.45])
• Message-ID:  <20180102144358.30DB91F88F@fh5>
• From:  [spoofed as recipient's email address]
• Subject:  FWD: - Video (WhatsApp) 02/01/2018 03:43:58
• Link in the email:  hxxps://storage.googleapis.com/webmessenger/Visualizar.html

 

MESSAGE TEXT:

Número do Controle: 950637668 Prezado Usuário: [recipient's email address]

WhatsApp com você. Para visualizá-lo, clique no link abaixo.

Video.Wav.25.12.2017.AM:03.30

*****   Enviado via IPhone X   *****

 

Shown above:  Downloading malware from link in the email.

 

Shown above:  Saw this pop-up message, but the malware still infected my lab host..

 

TRAFFIC

Shown above:  HTTP traffic from the infection filtered in Wireshark.

 

Shown above:  HTTPS URLs noted in Fiddler web debugger.

 

ASSOCIATED DOMAINS:

• port 443 (HTTPS) - storage.googleapis.com - GET /webmessenger/Visualizar.html
• 185.189.56.84 port 443 (HTTPS) - whatsapp.visualizar.cf - GET /Abrir/
• port 443 (HTTPS) - storage.googleapis.com - GET /videoswhatsap/vIDEO.Nat.25.12.2017.exe&[string of characters]
• 177.11.55.92 port 80 - 177.11.55.92 - GET /upload.php?id=PRO
• 177.11.55.92 port 80 - 177.11.55.92 - GET /upload.php?id=LXO
• 177.11.55.92 port 80 - 177.11.55.92 - POST /index1.php
• DNS queries for globo.com (a legitimate site), cxaffdxxxeo.gotdns.ch, and twocxaffdxxxeo.gotdns.ch - but no associated TCP traffic.

 

MALWARE

MALWARE DOWNLOADED FROM LINK IN EMAIL:

• SHA256 hash:  3e7fe55b467948c0e4f788581e2bd2008619f53cf1cb2a3c6dcd156042d553ec
  File size:  3,490,816 bytes
  File name:  vIDEO.Nat.25.12.2017.exe

FOLLOW-UP ZIP ARCHIVE (1 OF 2):

• SHA256 hash:  116872ae52c6f59aee0d5114445c3c3db2153db0ccb3c6869d8983ecc766a4cd
  File size:  6,499,839 bytes
  File name:  124412.dat
  File location:  hxxp://177.11.55.92/upload.php?id=PRO

EXTRACTED EXECUTABLE (1 OF 2):

• SHA256 hash:  a44c6a4233201818c8b86303e06d70141e526dfa47ef5cb0dcb42c98d7078948
  File size:  201,679,672 bytes
  File name:  kqabnrgr.dat
  File location:  C:\Users\[username]\AppData\Local\A9313E2A1BB5D422EA99\DISNEY0201.exe

FOLLOW-UP ZIP ARCHIVE (2 OF 2):

• SHA256 hash:  b69421193dc529eb50a76549c81ab34ecc12cbbdb0aa2376681cdd8cbc95bc4b
  File size:  5,440,967 bytes
  File name:  125412.dat
  File location:  hxxp://177.11.55.92/upload.php?id=LXO

EXTRACTED EXECUTABLE (2 OF 2):

• SHA256 hash:  7c7d58eb470fa4a6dd697bfeb802b0a48c0e0f670ea2c015e589263af3f52353
  File size:  202,065,232 bytes
  File name:  ptdwplcp.dat
  File location:  C:\Users\[username]\AppData\Local\B9313E2A1BB5D422EA98\DISNEY020118.exe

 

IMAGES

Shown above:  Follow-up download for a zip archive with malware for the infection.

 

Shown above:  Contents of the zip archive and where it was dropped for persistence.

 

Shown above:  Two zip archives were retrieved by the initial installer, and the extracted EXE files were made persistent through scheduled tasks.

 

Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.

 

Shown above:  Post-infection callback from the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2018-01-02-whatsapp-malspam-traffic.pcap.zip   14.4 MB (14,366,863 bytes)
• Saz archive of the Fiddler capture:  2018-01-02-whatsapp-malspam-traffic.saz   12.8 MB (12,838,469 bytes)
• Zip archive of the email:  2018-01-02-whatsapp-malspam-1443-UTC.eml.zip   1.5 kB (1,502 bytes)
• Zip archive of the malware and artifacts:  2018-01-02-whatsapp-malware-and-artifacts.zip   24.7 MB (24,740,570 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.