Friday, August 12, 2016

Kelihos botnet sending Panda Zeus to German and UK Banking Customers

On August 11th and August 12th the Kelihos botnet has been observed sending malware again.  Unlike the Ransomware that we've seen it send recently (see Kelihos spamming American Airlines Ransomware and Kelihos spamming Dutch Wildfire Ransomware ), this time it is sending links to a Word document that will drop a variant of Zeus.

One interesting observation about the spam is that it is doing "geo-targeting" based on the ccTLD of the email recipient.  Max Gannon, a UAB malware researcher in our lab, has modified his copy of Wireshark with a couple nice extra columns -- "" "imf.from" "imf.subject"

Now we can do a filter in Wireshark like this:

Filter: contains

which reveals only the subject lines that were sent to people in the UK!

The subjects in this run for people were:

Subject: Barclays Personal Banking
Subject: Detected suspicious transaction on your account
Subject: HSBC Personal Banking
Subject: Incomplete transaction
Subject: Locked transaction

(There was also one "The truth about male power" but that's just a counterfeit pharmaceutical website, which is the main thing Kelihos spams when it is not on a special mission!)

Here's an example of the Barclays spam:

And an example of the HSBC spam:

The .de people also got a special German invitation to be infected:

Subject: Bitte beachten Sie in ihre Postbank konto
Subject: Geehrter Kunde
Subject: Info von ihre Bank
Subject: Inkasso von Anton Weber
Subject: Mahnung abhleichen
Subject: Postbank AG
Subject: Postbank info abteilung
Subject: Rechnung bei Postbank AG
Subject: Rechtsanwalt T. Hoffman
Subject: Von Ihre Bank
Subject: Von Postbank
Subject: Weitere Mahnung erfolgt in Ihre bank
Subject: Wir erwarten die Zahlung

(And they also had a few pill-spam subject, "Win your female partner's addiction", etc.)

Here's one of the PostBank samples:

The malicious URL in each of these emails, dropped from several sites, including:

 www dot 1800cloud dot com / infos / report dot doc / bank / report dot doc

VirusTotal hint leads to . . . ZEUS!

A very curious thing when we looked at the file on VirusTotal is that there is an "EXIF comments" section that contains a goodly blob of characters that looked ASCII range to me ... so ...

when decoded by an awesome tool former UAB MS/CFSM student Vicki Carleton built for me 8-) ...

becomes a URL!

and THAT ... is Zeus! (with an 8 of 55 detection rate at VirusTotal as of this writing...)

The Zeus file, when executed, creates a .bat file, which deletes itself after running . . . and then stops me because it is 5:00 PM and I'm hungry . . .

The rest, as we say in Academia, is left as an exercise for the reader . . .

We'll let others dig into the actual Zeus malware that is dropped next, but for now, we have it on good authority that this is the "Panda Zeus" malware, discovered by Fox-IT back in April and blogged about more recently by Arbor Networks and IBM Security Intelligence.

The other Kelihos spam?

100% of the ".com", ".net", and ".pl"  addresses were pill spam
Subject: Achieve pure fun
Subject: Ancient secret of immeasurable nights of happiness
Subject: Are you ready to amaze your woman this night?
Subject: Big dignity will please your lady
(ok, i'll stop ...)

The only other geo-targeted spam was in Italian and targeted only at ".it" email addresses. It seemed to be a romance scam invitation.   ( wants me, and a few million other people, to "scrivere" her "su un personal mail.:)

Lyudmilafedoji had her own set of subject lines:
Al di mare grande, si sei ora?
Avete tuo piani per stasera?
Buon Pomeriggio, come stai?
Buona sera, siamo a conoscenza.
Ciao, come ti nome?
Ciao, scrivimi me.
Ciaooo, io ti conosco!
Forse tu sei tu persona che sara felice
Hi, come stai?
Io voglio il vero amore!
Io voglio incontrarmi con tuo.
and many more . . .
(So for my Italian readers, beware!  She's interested in EVERYONE!)

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.