2018-10-10 - MALSPAM LINK LEADS TO FAKE UPDATER MALWARE

NOTICE:

ASSOCIATED FILES:

  • 2018-10-10-fake-updater-infection-traffic.pcap   (2,813,365 bytes)
  • 2018-10-10-follow-up-fake-updater-update_v1201.exe   (48,192 bytes)
  • 2018-10-10-follow-up-malware-1st-decoded-binary.dll   (59,392 bytes)
  • 2018-10-10-follow-up-malware-2nd-decoded-binary.dll   (62,464 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs or partial URLs:

 

EMAIL

Date/Time:  Wednesday 2018-10-10 at 16:08 UTC
From:  info@viveto[.]de
Subject:  Statement of claim ID 23779

Email description:  URLs in the email point to a fake report page with a link to a supposed document.  When a victim clicks the download button, a message appears that claims you need an update to view the document.  This new link returns malicious Windows executable.

 

INFECTION TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Fake document page after clicking link from the email.

 


Shown above:  Fake updater notification when you click on page for the document.

 


Shown above:  Download notification for fake updater.

 


Shown above:  Browser notification that digital signature of downloaded EXE file is corrupt or invalid.

 


Shown above:  More information on the digital signature of this malware.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Post-infection traffic with ASCII string used to XOR the follow-up malware binaries.

 


Shown above:  One of the follow-up malware DLL files sent during post-infection traffic.

 


Shown above:  Example of a Python script to decode follow-up binaries to get the malware DLL files.

 


Shown above:  Examples of "before" and "after" shots when decoding a binary for the DLL.

 


Shown above:  Fake installer malware persistent on the infected Windows host.

 

Click here to return to the main page.