TrickBot's New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAM

It has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!

A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.”

First Stage – Extracting the Config File

During the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary:

Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183

Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660

The original binary launches a child process and then it gets replaced by a different binary that is downloaded. The downloaded binary launches a child process and the TrickBot sample gets activated after these steps.

When analyzing we found out that it launches several “svchost.exe,” it varies from 4 to 7 depending upon the time of your run.

Fig. 1: TrickBot binary with "svchost.exe"

Each of the scvhost instances have their own significance:

Svchost 1: Appears to be used to search and receive certificates

Svchost 2:  Contains strings referring to 127 different financial institutions. (complete list is mentioned below)

Svchost 3: Is the one that collects data from Outlook\Profiles such as username, password, servers, ports

Fig. 2: Outlook exfiltration 

Svchost 4: Scans the internet history to search for stored credentials

Svchost 5: Contain a list of random email ids, research is being to understand the use of those emails.

Confirmation of Svchost being launched by TrickBot binary

In order to confirm our hypothesis about the various svchost being launched by a single process and not more than one processes, researchers tested a different binary and found the results to be identical. We used Process Monitor to confirm the creation of "Svchost.exe" by the same process.

Fig. 3: Svchost Create Process

Config File : Svchost 2

adelaidebank[.]com[.]au

anzdirect[.]co[.]nz

anztransactive[.]anz[.]com

arabbank[.]com[.]au

asb[.]co[.]nz

bankcoop[.]ch

bankleumi[.]co[.]uk

bankline[.]natwest[.]com

bankline[.]rbs[.]com

bankofireland[.]com

bankofmelbourne[.]com[.]au

bankofscotland[.]co[.]uk

banksa[.]com[.]au

banksyd[.]com[.]au

bankwest[.]com[.]au

barclays[.]co[.]uk

barclays[.]com

barclayswealth[.]com

bcv[.]ch

bendigobank[.]com[.]au

beyondbank[.]com[.]au

bibplus[.]uobgroup[.]com

bizchannel[.]cimb[.]com

bmo[.]com

bmoharris[.]com

bnz[.]co[.]nz

boi-bol[.]com

boqspecialist[.]com[.]au

business[.]hsbc[.]co

cams[.]scotiabank[.]com

cibc[.]com

citibank[.]com[.]sg

citibusiness[.]citibank[.]com

coinbase[.]com

co-operativebank[.]co[.]uk

corp[.]westpac[.]co

corp[.]westpac[.]com

corpnet[.]lu

coutts[.]com

cua[.]com[.]au

danskebank[.]ie

defencebank[.]com[.]au

dev[.]bmo[.]com

ebanking[.]hsbc[.]co

ebanking[.]zugerkb[.]ch

fidunet[.]lu

flexipurchase[.]com

greater[.]com[.]au

gtb[.]unicredit[.]eu

harrisbank[.]com

heartland[.]co[.]nz

hsbc[.]com[.]au

humebank[.]com[.]au

hypovereinsbank[.]de

ib[.]boq[.]com

ib[.]kiwibank[.]co

icicibank[.]com

imb[.]com[.]au

internationalmoneytransfers[.]com[.]au

iombankibanking[.]com

kbc[.]ie

lloydsbank[.]co[.]uk

lloydsbank[.]com

lukb[.]ch

macquarie[.]com[.]au

maybank[.]com[.]sg

mebank[.]com[.]au

metrobankonline[.]co[.]uk

my[.]commbiz[.]commbank[.]au

mystate[.]com[.]au

nab[.]com[.]au

nationwide[.]co[.]uk

navyfederal[.]org

netteller[.]com[.]

newcastlepermanent[.]com[.]au

nwolb[.]com

ocbc[.]com

online[.]anz[.]com

online[.]lloydsbank[.]com

onlinebanking[.]iombank[.]com

onlinesbiglobal[.]com

postfinance[.]ch

qtmb[.]com[.]au

rabobank[.]co[.]nz

rabobank[.]com[.]au

rabodirect[.]co[.]nz

rabodirect[.]com[.]au

raiffeisendirect[.]ch

rbc[.]com

rbsdigital[.]com

rbsiibanking[.]com

ruralbank[.]com[.]au

salesforce[.]com

santander[.]co[.]uk

sbisyd[.]com[.]au

sbs[.]net[.]nz

scotiabank[.]com

secure[.]societegenerale[.]fr

secure[.]wellsfargo[.]com

standardchartered[.]com

standardchartered[.]com[.]sg

stgeorge[.]com[.]au

suncorpbank[.]com[.]au

tdcommercialbanking[.]com

tmbank[.]com[.]au

tsb[.]co[.]uk

tsbbank[.]co[.]nz

tsw[.]com[.]au

ubank[.]com[.]au

ubs[.]com

ulsterbankanytimebanking[.]co[.]uk

ulsterbankanytimebanking[.]ie

unicredit[.]it

unicreditbank[.]ba

unicreditbank[.]lu

unicreditbank[.]sk

unicreditbanking[.]net

unicreditcorporate[.]it

uobgroup[.]com

valiant[.]ch

wellsfargo[.]com

westpac[.]co[.]nz

westpac[.]com[.]au

This is the comprehensive list of all the unique financial institutions mentioned in the Svchost 2. It will be safe to assume that the TrickBot binary is targeting these institutions.  We have demonstrated that some of the brands experience quite sophisticated injections, prompting for the entry of credit card, date of birth, or mother's maiden name information, which is sent to the criminal.

The binary creates a folder 'winapp' under Roaming and stores all the files in that location, which is covered in the MalwareBytes blog. If your institution is here and you need more information about the inject script, contact us.

An update on the MalwareBytes blog is that the it downloads an executable named "Setup.exe" under WinApp. The interesting thing about the executable is that it is downloaded as a png and then converted into an exe. The URLs the executable is downloaded are:



http://www[.]aharonwheelsbolsta[.]com/worming[.]png
http://www[.]aharonwheelsbolsta[.]com/toler[.]png

Fig. 4: File being downloaded as Png

Fig. 5: Downloaded Executable

These downloaded files are also the TrickBot binary.

Fig. 6: Setup.exe under WinApp

The downloaded files being converted into "Setup.exe" and can be found under the Roaming/WinApp directory.

Second Stage - Spam aka 'Pill Spam'

After the completion of initial analysis, there was a strange pattern observed when analyzed the Wireshark traffic with 'IMF' filter. Our network (10.0.2.15) was used as a server along with being a proxy. Our address was proxy for other messages coming from 208.84.244.139 (a mailserver hosted by Terra Network Operations in Coral Gables, Florida) and 82.208.6.144 (a mailserver in Prague, Czech Republic.) Also, our network was sending outbound spam.

Fig. 7: Wireshark capture with IMF filter

Outbound Spam

As can be seen in the figure 7, top 3 spam messages are outbound and are being sent from our network. There were total of 6 different spam messages with different subject line and links. The email is mentioned below:

Fig. 8: Email message

Following were some of the subjects and urls that were spammed.

Subject                                                    URL

Affordable-priced Brand Pilules	http://martinagebhardt[.]hu/w/1gox[.]php
Blue Pills easy-ordering	http://host[.]teignmouthfolk[.]co[.]uk/w/zxaj[.]php
Eromedications Wholesale	http://martinagebhardt[.]hu/w/1pyo[.]php
Great offers on Male Pills	http://host.bhannu[.]com/w/w10x[.]php
Here we sell Branded tablets	http://host[.]selfcateringintenerife[.]co[.]uk/w/l5fz[.]php
Online offers Branded pharmacueticals	http://host[.]iceskatemag[.]co[.]uk/w/lztg[.]php

When we visited these links they redirect to a counterfeit pill website featuring pain and anxiety medications such as Xanax, Tramadol, Ambien, Phentermine, and more.  A depiction of the pill website with affiliate id is shown below.

Fig. 9: Redirect to a pill website with aff id

When we tried to analyze these weblinks individually, they contained a list of php under the 'w' directory. Last, when tree walked just to the domain it led to a dating/porn website.

Inbound Spam

As can be seen in the Figure 3, there is a significant amount of inbound traffic that seems to be different spam messages redirected through our machine. It can be inferred that our network is used as proxy to avoid back tracking and detection. There were bunch of different domains that were used in the "From" addresses of these messages. An example of one such message is:

From: Walmart

Reply-To: newsletters@walmart.com

To: Grazielle

Subject: =?UTF-8?Q?Huge_Clearance_savings_you_can=E2=80=99t_miss?=

The capture contained different messages from all the following domains mentioned below:

aggadi.com.br

aol.com

belissimacosmeticos.com.br

catcorlando.com

citrosuco.com.br

connect.match.com

uspoloassn.com

newsletter.coastalscents.com

email.modait.com.br

facebookmail.com

id.apple.com

itmae.com.br

limecrimemakeup.com

offers.dominos.com

pcpitstopmail.com

photojojo.com

pof.com

sigmabeauty.com

submamails.com

twitter.com

walmart.com

Credential Exchange

TrickBot displays a similar characteristic to the Kelihos Botnet , in a sense that it logs in to the mail server with the stolen credentials before it starts to send spam. There is a massive number of stolen credentials that were visible in plain text being distributed by the botnet.

Fig. 10: Stolen Credentials reconstructed in Network Miner

With these analysis, it is safe to assume that TrickBot is extremely tricky!! Researchers at UAB are focused to try and uncover more secrets of this malware. Will keep everyone posted with our new findings!!

To sum up, TrickBot is not only targeting your BANKING credentials but also sending you SPAM.

NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Sincerely Yours,
Bank of America
Customer Relations Department
.

The following are the different subject lines that were spammed:

URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 

hxxp://eileenparker[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - Pay for Credit Debt when Possible - 

hxxp://thehousepartnership[dot]co[dot]uk/wp-content/themes/twentyten/redirect[dot]php

Subject - Please Settle Credit Arrears Shortly - 

hxxp://chris-smith-web[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 

hxxp://infopro[dot]it/wp-content/themes/twentyeleven/redirect[dot]php

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 

hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 

hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 

hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc

711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

hxxp://95[.]163[.]127[.]179/777[.]exe

MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.

To decrypt the files you should send the following code:

xxxxxxxxxxxxxxxxxxxxx

to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .

Then you will receive all necessary instructions.

All the attempts of decryption by yourself will result only in irrevocable loss of your data.

If you still want to try to decrypt them by yourself please make a backup at first because

the decryption will become impossible in case of any changes inside the files.

If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),

use the feedback form. You can do it by two ways:

1) Download Tor Browser from here:

https://www.torproject.org/download/download-easy.html.en

Install it and type the following address into the address bar:

http://cryptsen7fo43rr6.onion/

Press Enter and then the page with feedback form will be loaded.

2) Go to the one of the following addresses in any browser:

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:

 hxxp://ipieceofcake[dot]com/wp-content/uploads/2016/04/gate[dot]php

When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 

transportation of high-dimension goods across the globe. At present, 

we are aimed at expanding by opening offices across the globe for 

deliveries of small consignments. We are looking for employees to 

open offices and ensure services (deployment and supervision of 

packages). All costs for the office establishment are undertaken by 

the organization. During the first month of your job, you and our 

employees are to be engaged in searching for the storage structure. 

You will be also required to appoint some amount of orders to your 

home address (not more than 10kg parcels a day) in order to check 

them for flaws and ship forward with pre-paid labels. We have a 

certain flow of parcels to date, and the work is already jogging on; 

if you are ready to start your operation right away, we are ready to 

pay 2800$ a month. In due course your salary will increase up to 

3500$ if you agree to work in the future office.

You have the following options of working with us:

1. You are working at home for the first month, receiving packages 

and shipping them forward; starting looking for an office place in 

your town (all the instructions you will receive from our managers)

2. You continue to work from home and get 2900$ every month, plus 

bonuses for fast shipped package

3. If something doesn't fit you and you decide to stop the job with 

us, we will pay you monthly salary and be waiting for you again in 

our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 

shipping is made with prepaid labels, this job does not require any 

financial investment from you. You can also combine this work with 

another one if you decide to work in the office in the future.

The convenient control panel of a corporate website will help you to 

track parcels, bonuses you are to get for a shipped package, and your 

personal information for salary and further job instructions.

The company ensures the following advantages:

1. Health benefits

2. Paid vacations and sick leaves

3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 

your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com

.

Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com

Subject - We are hiring new employees to our office - kia01915@aol[dot]com

Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com

Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.

To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 

FYI: Things are about to get interesting!

Kelihos Botnet sending geo-targeted Desjardins Phish to Canadians

As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses.  Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:

<== French Desjardins Phishing Email || Google Translate ==> 

Some of the email subjects being used include:

Subject:  Renouvellement de votre compte Desjardins
Subject:  Solutions en ligne Desjardins
Subject:  Veuillez regulariser votre compte Acces
Subject:  Desjardins Reactivation
Subject:  Reactivation de votre compte AccesD

Each of these URLs is currently resolving to the IP address 5.166.183.135:

  hxxp://client.accesd.com-page-reactivation-4955-accesd-desjardins[.]com/web 
  hxxp://espace.client.accesd.com-page-reactivation-3953-accesd-desjardins[.]com/login 
  hxxp://connection.desjardins.com-page-reactivation-3953-accesd-desjardins[.]com/id 
  hxxp://membre.espace.desjardins.com-page-reactivation-1734-accesd-desjardins[.]com/page
  hxxp://membre.accesd.com-page-reactivation-5354-accesd-desjardins[.]com/enligne
  hxxp://membre.desjardins.com-page-reactivation-5354-accesd-desjardins[.]com/accesd 
  hxxp://espace.client.accesd.com-page-reactivation-1734-accesd-desjardins[.]com/login

Here is a pictorial walk-through of the phishing website:

We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:

After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:

And lastly, the phisher's try to get any and all possible additional information they can!

 
Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!

Beware, Canadian friends!   And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!

American Airlines spam from Kelihos delivers Ransomware

I'm pleased to have Arsh Arora return with another guest blog about his findings as he continues to observe the Kelihos botnet.  Arsh recently received his Masters in Computer Forensics and Security Management in our program at UAB and has chosen to continue his malware research as a PhD candidate.

Kelihos botnet delivering CryptFlle2 Ransomware with theme AmericanAirlines

By Arsh Arora

When we saw the Kelihos botnet delivering ransomware last month on July 8th, we sat up and took notice.  The Kelihos botnet has a long history of delivering pharma spam and stock market manipulation spam (pump-n-dump), but now it was spamming the WildFire ransomware. ( See: http://garwarner.blogspot.com/2016/07/kelihos-botnet-delivering-dutch.html )  I was under the impression that it was one of the occasional gimmicks observed with Kelihos where they try something a single time and then move on.  I assumed that some script kiddies were testing new ransomware techniques. Unfortunately, I was wrong and Kelihos hit back with CryptFIle2 encryption ransomware.

To attract people to their ransomware, this campaign used subject lines imitating American Airlines specifically to attract customers. The URLs listed below are the locations that were sent in the spam email along with its corresponding subject lines:

hxxp://dataupllinks[.]top/nfdk/ticket1845[.]doc - Free Fly with AmericanAirlines

hxxp://ftp[.]dataupllinks[.]top/edsf/tick-873[.]doc  - Bonus from AmericanAirlines

hxxp://ftp[.]filesgigastor[.]top/23tf/disc_tick-235[.]doc  - AmericanAirlines free 100$

hxxp://www[.]webdataupllinks[.]net/rety/tick-834[.]doc  - AmericanAirlines discount

The following is the email that the victim receives and is inclined to check out the special travel prices for his/her favorite vacation spots.

Figure 1 - American Airlines Discounts

Several subject lines were used, including:

• Subject: Bonus from AmericanAirlines
• Subject: AmericanAirlines free 100$
• Subject: AmericanAirlines discount
• Subject: Free fly with AmericanAirlines

---

Subject: AmericanAirlines discount 

Traveling with the world's largest airline shouldn't have to be expensive. That's why at Ctrip, we are
bringing you our lowest prices yet for flights with American Airlines. 

>>> DOWNLOAD FREE DISCOUNT 100$ TICKET:
*Prices exclude taxes and fees.
Los Angeles - Las Vegas from 88$
Las Vegas - Los Angeles from 198$
New York - Chicago from 192$
Toronto - Hong Kong from 923$
Los Angeles - Shanghai from 832$
Toronto - Beijing from 958$
Chicago - Beijing from 712$
Boston - Beijing from 1,077$
Boston - Shanghai from 1,060$
Chicago - Shanghai from 845$
Atlanta - Beijing from 1,581$
Chicago - New York from 221$
Los Angeles - New York from 440$
New York - Toronto from 220$
New York - Miami from 177$
New York - Orlando from 203$
Seattle - Los Angeles from 145$
New York - Los Angeles from 366$
Los Angeles - San Francisco from 186$

>>> DOWNLOAD FREE DISCOUNT 100$ TICKET:
hxxp://www[.]webdataupllinks[.]net/rety/tick-834[.]doc 

Terms and Conditions:
Prices are correct at time of publication and are subject to availability and change. Please see
english.ctrip.com to confirm availability, prices, and applicable terms and conditions. Flights for
certain dates may be sold out. In this event, please try to enter another flight date. Airlines reserve
right to adjust prices and control seat availability according to sales situation. Final fare based on
airline's actual sale price. Seat availability subject to airlines. Special fares may be subject to
strict change, refund and endorsement conditions. Please refer to conditions of confirmed booking for
details. Ctrip.com International Ltd. (CTRP) reserves all rights of final interpretation.

---

The prices are striking enough to entice the victim to click the link. Once the link is clicked, a pop up is shown to download a Word document. Although the user is unaware that the Word document contains hostile code, Microsoft Word document delivery is one of the more common ways of distributing malware.

Once the download is complete the victim opens the document. The document follows a similar pattern as it used in the previous ransomware sent by Kelihos. The Word document is opened in ‘Protected View’ and seeks the user to ‘Enable Editing’ to view the document.

Figure 2 - "Protected Document"

After clicking the ‘Enable Editing’ box, another window asks to ‘Enable Macros’, aka the “ENCRYPT ME” button.

Figure 3 - "Enable Editing AKA Encrypt Me!"

After clicking the ‘Enable Content’ button, it shows the following message.

Figure 4 - Looks like a Word Document!

This behavior is the first of its kind observed in Word documents delivering malware. Generally, there is no content in the Word document and the malware infects the victim’s machine within minutes if not seconds.

The feature makes the Word document seem like a legit file and distracts the user while the malware contacts its command and control center and encrypts files in the background.

As soon as you complete reading, you realize that your computer has been encrypted by CryptFIle2 encryption ransomware.

Figure 5 - You are now ENCRYPTED

An interesting feature about the ransom note is that the threat actors have evolved their technique for obtaining ransom payment. As it can be seen, there is no mention of Tor-hosted or Onion-domain payment websites. Instead, it has 2 email addresses in which the victim can email the threat actor directly to pay the ransom. The email addresses are:

westbors@oath[.]com
gobas@inorbit[.]com

This seems fool-hardy and not very sophisticated, but the American Airlines lure will certainly gain some victims!  This is phenomenally different behavior than the previous WildFire ransomware. The text displayed after enabling Macros is a significant change in the Word document that spread ransomware.

Other interesting observations found are:

• .      MD5 hash of the Word document - 4fde04b25ea20b6ab30c5e4984e01afc
• .      Website mentioned in the Word document – english[.]ctrip[.]com
• .      Payload location: hxxp://216[.]170[.]126[.]3/wfil/file[.]exe
•                           hxxp://216[.]170[.]118[.]4/default[.]jpg
•     Command & Control Center: hxxp://216[.]170[.]118[.]4/wes/offers[.]php

#AA #AmericanAirlines – Just realized that AA stands for my name too. So were the threat actors targeting the American Airlines or Arsh Arora, in disguise of AA?

---

Thanks for that guest post, Arsh! Be on the lookout for a new paper about the spam campaigns of Kelihos at an upcoming conference based on Arsh's studies.

Vovnenko / Fly / MUXACC1 pleads guilty

Sergey Vovnenko pleads guilty

This week a Ukrainian hacker made famous for attempting to frame security journalist Brian Krebs by sending him heroin purchased on the Silk Road, had his day in court and chose to plead guilty.  Krebs blogged about his arrest in Italy in 2014 with the title The Fly Has Been Swatted, but now that a guilty plea has been entered, we can see the details of the case.

In June 2013, a U.S. Secret Service agent swore out a criminal complaint against Vovnenko for crimes he committed against citizens in New Jersey.  Although we refer to "Federal Crimes" in most cyber crimes, charges can only be brought for damages local to the U.S. Attorney's office where the prosecution makes the charges.

From 2003 until 2013, the complaint states, SERGEY VOVNENKO, AKA Centurion, AKA Flycracker, AKA Flyck, AKA MUXACC1, AKA Stranier, ran various scams related to carding.  In a specific instance, cards were stolen "on or about" March 14, 2011 from a victim in Rutherford, NJ, violating Title 18 Section 371 of the Federal Code.  Many of the early attacks used SQL Injection to gain access to target computers that were accessible via the web and had access to databases of personally identifiable information and credit card data.  Vovnenko in particular advertised "dumps" services using both his Twitter account and an ICQ account.

Between 2009 and 2011, Vovnenko managed to plant malware on computers at "Victim 1" which is described as a "global financial institution with millions of customer accounts" that "maintaned signficant infrastrucutre in New Jersey, including computer servers housing banking information located in New Jersey."

Vovnenko was an old-school carder.  He originally sold his dumps on the Shadowcrew website, which was shut down in 2004 by the U.S. Secret Service.  (This site is where Vovnenko began chatting with now infamous Data Breach king Albert Gonzalez.)  In 2008, Vovnenko used ICQ to chat with Vladislav Horohorin, the hacker known as "BadB."  BadB was sentenced to 88 months for trafficking in stolen cards and for his role in the $9M theft from Atlanta-based RBS WorldPay.  By 2010, Vovnenko was actively selling as "Centurion" on CardingWorld, Mazafaka, and Verified.ru.

Our complaintant testifies that on or about March 16, 201, Vovnenko chatted with another criminal who asked him to review his logs from his botnet to see whether he had IP addresses indicating that some of his bots were in the NJ-based Financial Institution known as "Victim 1" in the court documents.  He did, and was asked to plant an executable on that computer to give his co-conspirator remote control to the computer.  (We've heard about this type of "log selling", where a "commodity botnet infection" leads to targeted attacks at specific institutions before.  See my blog post about the Fox-IT/Group-IB "Anunak" report, "Botnets, APTS, and Malicious Emails")

A "Zeus Logs" seller offers 240MB of logs for $300-$400 ...

A Criminal Complaint is only intended to show Probable Cause to open an investigation.  It does not require the same level of details as an Indictment, which charges the accused of committing specific criminal acts.

The Indictment came in April of 2014 ...

The Indictment adds additional aliases (Tomas Rimkis, Darklife) and specific charges.  We'll focus on Charge One and Three, which are the ones he pleaded guilty to this week.

Count One:  Wire Fraud Conspiracy (18 u.s.c.§1349)
From September 2010 to August 2012, VOVNENKO and his co-conspirators "operated an international criminal organization that hacked into the computers of individual users and of companies in the United States and elsewhere, and used that access to steal data, including, among other things, user names and passwords for bank accounts and other online services, as well as debit and credit card nubmers and related personal identifying information.   After stealing the Log-In Credentials and Payment Card Data, defendant VOVNENKO and his co-conspirators used that information to illegally access and withdraw money from bank accounts and to incur unauthorized charges using the payment card data."  They also sold the data using online forums to individuals and groups that in turn did other illegal things with the data.

The indictment states that VOVNENKO had a botnet of "over 13,000 computers infected with malware" and that several of the infected computers were in New Jersey.  At least part of the malware was the "Zeus" malware that specializes in stealing banking information and recording keystrokes of users.  At least one employee (known as "J. H." in the indictment) of the Victim 1 bank had his workstation infected and from that base, the botnet was able to contact and interact with computers located inside financial institutions.  Counts Three through Six of the indictment refer to the specific acts of logging in to J.H.'s computer "in related to felony violations

18 U.S.C.§1349 and 18 U.S.C.§1030(a)(2)(C) and (c)(2)(B)(i)

By December of 2015, Vovnenko and his lawyers knew he was going to be found guilty on all charges, no ifs, ands, or buts.  They agreed to a plea agreement where Vovnenko took the rap for Count One and Count Three, agreeing that he could face a sentence of 20 years imprisonment and $250,000 fine.  Because he also faced the charge of Aggravated Identity Theft, there is an additional two year mandatory minimum sentence that cannot run concurrently with any other sentence.  Further, VOVNENKO understood that he may be required to pay restitution, and will likely be deported after his sentence is served.

Sentencing in this case is set to May 2, 2016.  At that time, a Money Judgement will also be made regarding the amount of Restitution that may be required.

Many more details about "Flycracker" (as he was known on Silk Road) or "MUXACC1" (as he was known on Twitter) are available from Brian Krebs' story "Hacker Who Sent Me Heroin Faces Charges in U.S."