E-mail comes through with a subject line similar to: “Fax Message #5522951 ” with a random number.
The message body looks like this:
Fax Message [Caller-ID: 1-407-378-1024]
You have received a 3 page fax at Mon, 1 Dec 2014 14:16:54 +0000.
http://www.nlp-books.net/document/faxmessage.php
View this fax using your PDF reader.
Thank you for using the MyFax service!
The URLs contained are a multitude of hacked sites:
http://www.nlp-books.net/document/faxmessage.php
http://onlinecypruscasino.com/document/faxmessage.php
http://netembilgisayar.com/document/faxmessage.php
http://mobel800.com/document/faxmessage.php
http://mubinka.com/document/faxmessage.php
http://mortgageleadnet.com/document/faxmessage.php
http://burlesonfugitiverecovery.com/document/faxmessage.php
http://typesoflearning.org/document/faxmessage.php
The SMTP servers sending seem to be:
85.97.129.129
71.13.145.6
68.67.62.194
24.37.176.50
63.172.62.66
86.40.134.125
80.86.43.60
23.25.23.205
174.93.235.214
The links give you a file SHA256 9bb41ac8fc5fb79c58411dc137fd46ef5e130b753f436eec1a22c529f1305703 named
“doc21641_pdf.zip” which extracts to “doc21641_pdf.exe”. VirusTotal Report / Malwr Report
When run it sends two requests:
http://80.248.222.238:15060/0112uk2/W7VM1/0/61-SP1/0/
http://80.248.222.238:15060/0112uk2/W7VM1/1/0/0/
It disguises it’s requests as:
“User-Agent: realUpdate”
Something I don’t remember from the 3 previous – similar – infections.
Both requests return 0 bytes.
The server is in france and hosted by:
inetnum: 80.248.222.0 – 80.248.222.255
descr: FR-NERIM-80-248-222
org: ORG-NA20-RIPE
netname: VIRTUAL-HOSTING-PA3
remarks: INFRA-AW
country: FR
It also DNS resolves wholesale-motoroilonline.com and then requests /images/t2.pnj from the host.
This redirects to http://www.wholesale-motoroilonline.com and the DNS request and request is retried.
http://www.wholesale-motoroilonline.com/images/t2.pnj (hosted on 192.163.217.66 / server.amssyntheticoil.com)
Net Range 192.163.192.0 – 192.163.255.255
CIDR 192.163.192.0/18
Name UNIFIEDLAYER-NETWORK-13
Handle NET-192-163-192-0-1
After downloading it extracts and spawns another process from the “C:\Users\<username>\AppData\Local\” folder.. SHA256 040766e3569e2a73fa0e22a2447edb9e2c31f9891ebc82af42c700f02a64961a
VirusTotal Report / Malwr Report.
It then makes further requests using explorer.exe:
- 00:00:00.000 fwyql.exe[3768] (Count=4, Sent=557 , Received=356.42 K, ElapsedTime=1.797 s) 1 False + 0.000 False GET (None) http://80.248.222.238:15060/0112uk2/W7VM1/0/61-SP1/0/ 2 False + 0.047 False GET (None) http://80.248.222.238:15060/0112uk2/W7VM1/1/0/0/ 3 False + 0.109 True 0.283 s GET 301 568 text/html http://wholesale-motoroilonline.com/images/t2.pnj http://www.wholesale-motoroilonline.com/images/t2.pnj 4 False + 0.391 True 1.407 s GET 200 355.87 K text/plain http://www.wholesale-motoroilonline.com/images/t2.pnj - 00:11:34.204 Explorer.EXE[3912] (Count=8, Sent=1.95 K, Received=117.52 K, ElapsedTime=10.985 s) 5 False + 0.000 True 1.766 s GET 200 757 application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/cert/my.ip.masked.here/ 6 False + 1.765 True 2.923 s GET 200 805 application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/0/Win_7_SP1_32bit/1069/my.ip.masked.here/ 7 False + 4.703 True 1.610 s GET 200 197 application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/1/KxskFNkhMvobihpvNHQcRMxTXhygpqU/my.ip.masked.here/ 8 False + 4.703 True 3.001 s GET 200 52.91 K application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/httprdc/my.ip.masked.here/ 9 False + 6.343 True 2.939 s GET 200 52.91 K application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/httprdc/8my.ip.masked.here/ 10 False + 7.718 True 1.720 s GET 200 4.99 K application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/respparser/my.ip.masked.here/ 11 False + 9.296 True 1.689 s GET 200 4.99 K application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/respparser/my.ip.masked.here/ 13 False + 10.984 True 1.626 s GET 200 197 text/plain https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/14/user/henry/0/my.ip.masked.here/
This server (202.153.35.133) has no RDNS and is hosted in Hyderabad in India:
inetnum: 202.153.32.0 – 202.153.47.255
netname: EXCELL-NET
descr: Excell Media Pvt Ltd
descr: Cable ISP
descr: Hyderabad A.P, India
country: IN
Further “errors”, similar to the previous analysis, show more information about what it might be stealing:
14 False + 178.671 True 1.658 s GET 200 197 text/plain https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/14/error/<strong>send%20browser%20snapshot%20failed</strong>/0/86.164.189.213/ 15 False + 178.671 True 1.689 s GET 200 197 text/plain https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/14/twg32/<strong>cannot%20get</strong>/0/86.164.189.213/ 16 False + 180.328 True 1.798 s GET 200 1.13 K application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/23/217162868/uBpCFodxIIocBPaHMTCnyLaPbRtKAdf/86.164.189.213/ 17 False + 183.687 True 3.876 s POST 200 197 text/plain https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/63/generalinfo/86.164.189.213/ 18 False + 206.015 True 1.595 s GET 200 197 application/octet-stream https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/1/FcUYTwjrIbXODWguWiaTFakmLbUpkGK/86.164.189.213/
The SSL certificate for this run was generated on “01 December 2014 15:20:10” which indicates another very active / recent setup for this intrusion attempt.
thecomputerperson 
Pingback: “Payment Advice – Advice Ref:[GB580659] / CHAPS credits” Spam with Virus | thecomputerperson