I was called by one of my customers today. They were concerned about an e-mail they had received from one of their suppliers which contained an attachment.
Indeed, the email was the typical recent junk e-mail containing a zip file which contains a .exe file virus.
What gets me here is the advice I and others normally give people when it comes to suspicious emails or attachments.
ONLY OPEN ATTACHMENTS IF (among other obvious things):
-You know the sender
-You are expecting a file to be sent to you
Normally these kinds of “Your invoice is attached” zip/exe files are from known brands like Vodafone, British Gas, Sky, WhatsApp etc.. so you don’t “know the sender” and probably are not expecting an email from them. (most people are like.. “I don’t even have a Vodafone phone”).
However in this case the sender was known to the recipient, an estate agent, _and_ they were expecting floor plan files from them – as they do multiple times each week.
Normally I would then expect that somehow the address book of the supposed sender had been compromised (as seems to be happening with Yahoo and BT Internet accounts recently) and the spam had not been sent from the companies server. Upon further investigation it seems this isn’t the case..
Return-path: &amp;amp;amp;amp;amp;amp;amp;amp;lt;KarenRoyston@floorplanz.co.uk&amp;amp;amp;amp;amp;amp;amp;amp;gt; Envelope-to: REDACTED@REDACTED.net Delivery-date: Tue, 14 Oct 2014 11:09:05 +0100 Received: from relay1.fast.net.uk ([184.108.40.206]) by mail90.extendcp.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) id 1Xdz2P-0002T8-Ne for REDACTED@REDACTED.net; Tue, 14 Oct 2014 11:09:05 +0100 Received: from remote.floorplanz.co.uk (78-32-128-30.static.enta.net [220.127.116.11]) (authenticated bits=0) by relay1.fast.net.uk (8.14.4/8.14.2) with ESMTP id s9E9oblq046774 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Oct 2014 11:03:14 +0100 (BST) (envelope-from KarenRoyston@floorplanz.co.uk) Received: from SERVER1.FloorPlanz.local ([fe80::69df:11f0:4c4d:1495]) by SERVER1.FloorPlanz.local ([fe80::69df:11f0:4c4d:1495%13]) with mapi; Tue, 14 Oct 2014 10:39:08 +0100 From: Karen Royston &amp;amp;amp;amp;amp;amp;lt;KarenRoyston@floorplanz.co.uk&amp;amp;amp;amp;amp;amp;gt; Date: Tue, 14 Oct 2014 10:38:23 +0100 Subject: Your document Thread-Topic: Your document Thread-Index: Ac/nkrLjAj1PH4/cSearkxQLpWtSjA== Message-ID: &amp;amp;amp;amp;amp;amp;lt;5815051CFB6ECF419CB6174BBE13D43348BD386E81@SERVER1.FloorPlanz.local&amp;amp;amp;amp;amp;amp;gt; Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: multipart/mixed; boundary=&amp;amp;amp;amp;amp;amp;quot;_004_5815051CFB6ECF419CB6174BBE13D43348BD386E81SERVER1FloorP_&amp;amp;amp;amp;amp;amp;quot; MIME-Version: 1.0
Sadly it seems that “Karen Royston” at floorplanz.co.uk has somehow had her account compromised (probably via Outlook Web Access) and hackers have e-mailed plausible attachments to everyone in her address book.
SenderBase shows a 2500+% increase in e-mail from their server within the last day.
I called FloorPlanz and they were aware of the problem.
What is also interesting is VirusTotal had only seen the attachment at around the same time that the floorplanz spam email was sent out which would suggest that the virus was a variant specifically for this hack and not one that has been re-used in a common hack.
I also expect the address book has been stolen for use in further targeted attacks. My customer had since had similarly titled e-mails and attachments from other addresses not previously known to them.
Summary: Estate agents that commonly open attachments from floorplanz…. CHECK YOUR SYSTEMS FOR INFECTION!
Technical details on the virus:
This report seems to be a variant of the same thing.
The attachment in the email is a dropper that initially tries, twice, to contact 18.104.22.168 (which is currently rejecting connections).
It then tries (and works) a DNS lookup for itsallaboutrice.com and requests:
It then tried to contact the down .13 address again one more time.
Then it did a DNS request for google and opened and instantly dropped a connection to the returned IP without sending any data.
Then sent a DNS query to stun.voip.aebc.com and a few STUN messages, I presume to get the “external IP” of the infected machine.
It then tried one more connect and drop to google.
Then it started talking SSL to 22.214.171.124 on port 443. There is no Common Name (CN) on the SSL certificate which was self signed / generated on the 3rd of October, further suggesting this is a recent and active targeted attack.
There is very little information about 126.96.36.199 on the internet except it is an OVH server in France.
It made the following requests:
https://188.8.131.52:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/5/cert/184.108.40.206/ https://220.127.116.11:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/0/Win_7_SP1_32bit/1055/18.104.22.168/ https://22.214.171.124:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/14/NAT/Port%20restricted%20NAT/0/126.96.36.199/ https://188.8.131.52:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/1/fcECsTjLhEiQQdqBreNTcNcNrJRryBn/184.108.40.206/ https://220.127.116.11:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/14/user/User/0/18.104.22.168/ https://22.214.171.124:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/5/httprdc/126.96.36.199/ https://188.8.131.52:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/63/browsnapshot/184.108.40.206/ https://220.127.116.11:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/23/213291114/wjTHAlXnvSGgWorWdCTaoSSqPwtRacw/18.104.22.168/ https://22.214.171.124:4443/1410out/W7VM1_W617601.7A8A3CE2C285CEDB0A33DB7343EF9AD4/63/generalinfo/126.96.36.199/
The request browsnapshot seems to have uploaded cookies I had stored in the browser on the test machine.
The generalinfo request seems to send the attackers:
-The CPU info of the computer
-The users accounts on the system
-The programs installed on the system
-The services on the system including driver services
It then continues to poll crypto style URLs under the same subfolder every 4 minutes presumably waiting for information from it’s CnC server – like further inspection of the system or DDoS target etc.
Pretty comprehensive trojan.
Update: Sophos have a report on this malware now too.
708c6b4bdd5a687a684eda12ab0152ca – dropper
3032e8ce4454443ecd72f4332076e5b3 – payload (the item making the https requests and exfil information)