Tuesday, July 08, 2014

Disk57.com, Cutwail, and Tearing Down Offending Infrastructure

Sometimes I am so impressed by the things my employees at Malcovery discover as they work through the various email-based threats we process and report about for our customers. Brendan, Wayne, and J evaluate and document hundreds of malware threats each week from our Spam Data Mine and because of their daily interactions with so much malware notice patterns that others miss. I've been asking them to be especially mindful of what the Cutwail spammers are moving to next as the GameOver Zeus era moves to a close, and Brendan did a great job of covering that over on the Malcovery Blog in the article How Spammers Are Filling the Gameover Zeus Void.

June 16 - Disk57.com first sighted

On June 16, 2014, Brendan and the team noticed three malware campaigns distribution spam campaigns that were all pushing the same malware. The email subjects were:

Subject: USPS - Missed package delivery
Subject: You have received a new fax
Subject: Scanned Image from a Xerox WorkCentre

The files attached to those messages included:

USPS1758369.zip - (22,331 bytes) - MD5: 73c4758a84c4a0e24e4f34db69584d26
(VirusTotal results at report time: 3/54)

Scan.zip - (22,329 bytes) - MD5: cbfb3f1e40b30d01f4dda656d7f576e7
(VirusTotal results at report time: 3/54)

IncomingFax.zip - 22,329 bytes - MD5: 048dcc8c9639d2e8ccea362fdb5f7d3e
(VirusTotal results at report time: 3/54)

All three of those .zip files contained the same binary, with the varying names, USPS06162014.scr, Scan.scr, and IncomingFax.scr.

(40,960 bytes) - MD5: 36e264de2cb3321756a511f6c90510f5

(VirusTotal results at report time: 0/54)

By a week later, the detection rate was up to 38 of 46 AV products detecting this as malware, but at the time of the spam campaign, only Sophos and K7 had signature-based detection for the malware, though some vendors may have offered other types of protection.

Whichever of the three versions you downloaded, the SCR file was actually a PE-executable which would contact the site "disk57.com" in order to "check in" by hitting the file "gate.php" on that server. The Ukrainian server in question,, (AS197145, Kharkiv Infium LLC) had been seen previously communicating with malware on March 26 and March 27 using the domain name "malidini.com".

The registry was modified so that a copy of the .scr file (now named as an .exe) would be executed on the next start up due to a Policy statement located in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\818107311"

This resulted in the downloaded of a 7200 byte ".mod" file

More Disk57.com sightings

Disk57.com was also used as part of the malware infrastructure for malware samples distributed by the following spam campaigns:

June 16 - Wells Fargo 
June 17 - USPS
June 18 - HSBC
June 18 - Xerox
June 18 - New Fax
June 30 - HSBC - Subject: Avis de Paiement
June 30 - New Fax - Subject: You have received a new fax message
June 30 - Scanned Document - Subject: Scan de 
July 1 - BanquePopulaire
July 1 - French government
July 3 - Xerox
July 3 - UPS
July 3 - Wells Fargo
On June 30th, we saw the same technique used as in the June 16th campaigns. Three different .zip files, each containing a .scr file that was named differently, but where all samples had the same MD5 hash (MD5: 66dcf2e32aa902e2ffd4c06f5cb23b43 - VirusTotal detection 11/54 at report time.)

As on June 16th, executing the .scr file resulted in an exchange with the "gate.php" file on disk57.com on, resulting in a 7200 byte ".mod" file being downloaded.

On June 30th, however, this exchange resulted in a copy of the Cutwail binary, b02.exe, being downloaded from jasongraber.com on the path /css/b02.exe. (IP b02.exe had a file size of 41,472 bytes - MD5: 84822121b11cce3c8a75f27c1493c6bb with a VirusTotal report of 2/54 at report time.

Upatre Updated

On July 3rd, spam campaigns imitating Xerox, UPS, and Wells Fargo used this same technique again with email subjects:

Subject: Scan from a Xerox WorkCentre - seen 1209 times by Malcovery
Subject: New Fax: # pages - seen 288 times by Malcovery
Subject: IMPORTANT - Confidential documents - seen 88 times by Malcovery
Subject: UPS - Credit Card Billing Adjustment. Ref#(random) - seen 178 times by Malcovery

1,941 messages were sent to our Spam Data Mine from 1,037 different sending IP addresses.

The .zip files still contained .scr files that were all the same
file size (23,040 bytes) MD5: 870c63c4420b6f187066a94ef6c56dc6 - VirusTotal report: 1/53 at report time.

However this time there were three very different URLs downloaded as a result of the initial click. The downloaded malware behaved almost exactly like the UPATRE samples that were used to distribute the encrypted version of GameOver Zeus that we wrote about back in February. (See: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security.)


The UPATRE malware that was signature detected only by Sophos (as the useful name Mal/Generic-S) on July 3rd now has 43 detections at VirusTotal, although most are crap as usual, with regards to the usefulness of the names chosen by the vendors. Zbot.LDQ, Trojan/Win32.Zbot (but it clearly isn't Zeus, it's just a tiny downloader, which is what several vendors call it (Trojan.Win32.Tiny.bNKP). Several other vendors call it Ransomware or Crypto something or another (Trojan-Ransom.Win32.Cryptodef.oq, Win32/Ransom.ABOQAMB, TROJ_CRYPWALL.JER, Trojan.Win32.A.Cryptodef.23040). Only Microsoft called it Upatre (TrojanDownloader:Win32/Upatre.AA) although that is clearly the consensus of the AV analysts we have discussed the sample with. In this case the job of UPATRE is to download files that CLAIM to be PDF files, "convert/unpack/decrypt" them into .exe files, and then launch those .EXE files.

Three touches to the OVH (AS16276) IP address resulted in three files so-called PDF files being downloaded from repele.net on IP address, each with the name "css/agreement.pdf". UPATRE did its magic, converting each of these files into another binary executable:

agreement.pdf = 131,173 bytes - MD5: 354283b80cc9e63d872475175d20f14d

(became CryptoWall Encryption ransomware, (in our case, named 09acd07.exe and located in a directory 09acd07 - 183,296 bytes - MD5: 6238af3e78f3316ea5f0192cb8cf3167 - VirusTotal reports detection of 14/53 at report time

which made connection to three C&C servers:
- vivatsaultppc.com - in Russia (AS39134)
- bolizarsospos.com - in Russia (AS39134)
- covermontislol.com - in Russia (AS12695)

After encrypting files, the victim is shown the following text, with a timer counting down from 168 hours:

Your files are encrypted. To get the key to decrypt the files you have to pay 750 USD/EUR. If payment is not made before 10/07/14 - 15:37 the cost of decrypting files will increase 2 times and will be 1500 USD/EUR

(Other files found in that subdirectory included, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and DECRYPT_INSTRUCTION.URL.)

agreement-2.pdf = 51,266 bytes - MD5: 06a16a7701c748467a0b8bc79feb7f35

(became Cutwail spamming botnet malware, mshvsk.exe (random file name) - 39,936 bytes - MD5: c1cc8b5eaf7f25449cfda0c6cd98b553 - VirusTotal reports detection of 1/54 at report time.

which then began communications to seven separate C&C servers:
- in Russia (AS48031)
- in Russia (AS29182)
- in Netherlands (AS50245)
- in Germany (AS24940)
- in Russia (AS198681)
- in Ukraine (AS56485)
- in Russia (AS51724 - FLYNET)

agreement-3.pdf = 27,811 bytes - MD5: 19a1986f6fd0f243b02bba6cb77e9522

(became Andromeda botnet malware: gqxse.exe (random file name) - 23,150 bytes - MD5: 8e6c9e794739e67969c6f81a5786d9e7 VirusTotal reports detection of 0/54.

which then called out to disk57.com / gate.php)

What to do?

First and foremost, we need to get rid of Cutwail. This will be difficult as Russia continues to harbor their cyber criminals, allow them to bribe themselves out of prison and into government offices and contracts, and seems to treat their rampant theft of American and European wealth as a form of Economic Development.

In the meantime, we need to begin smashing their infrastructure at every chance we can get. Seize the hardware if we can, disable the routing of the traffic if we can't, and DEFINITELY block that infrastructure within our homes and companies!

Do yourself and your company a favor by sharing a link to this blog and recommending that your IT Security staff block the addresses shared above. If you live in a country where you can help, please do so!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.