“Payment Advice – Advice Ref:[GB580659] / CHAPS credits” Spam with Virus

Several e-mails came in today with the title

“Payment Advice – Advice Ref:[GB<RANDOM>] / CHAPS credits”

With the content:

Received: from support-hsbc.com (71-6-94-36.static-ip.telepacific.net
[71.6.94.36]) by my.server.here with ESMTP ; Wed, 14 Jan 2015 16:29:51
+0000
MIME-Version: 1.0
Content-Type: text/plain; charset=”US-ASCII”; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 14 Jan 2015 16:25:05 +0000
From: HSBC Advising Service <no-replay@support-hsbc.com>
To: <my@address.here>
Subject: Payment Advice – Advice Ref:[GB580659] / CHAPS credits
Message-ID: <01875579662532460212982696507713@support-hsbc.com>
User-Agent: Roundcube Webmail/1.1.1
Return-Path: no-replay@support-hsbc.com

Sir/Madam,

Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.

Download link:

http://cagribeylisesi.awardspace.com/HSBC_DATA/get_document.html

Yours faithfully,
Global Payments and Cash Management
HSBC

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

***************************************************************************
Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
*******************************************************************
“SAVE PAPER – THINK BEFORE YOU PRINT!”

There are several addresses associated with this malware..
http://cagribeylisesi.awardspace.com/HSBC_DATA/get_document.html
http://hynoconnect.hynoworld.com/HSBC_DATA/get_document.html
http://arteclandestino.com/HSBC_DATA/get_document.html
http://moda-arad.ro/HSBC_DATA/get_document.html

Most of the hosts have been taken down but the final one, the .ro site, served a file called message.zip containing “doc208_pdf.exe” – VirusTotal Report / Malwr Report.

SHA256: 84263a974833d66ca0d691f5000674daac1e87b7282a3392ae8a474b553899d9

When run it copies itself to C:\Users\username\AppData\Local\Temp\ and runs itself again.

It contacts

http://202.153.35.133:23566/1401uk22/W7VM1/0/61-SP1/0/
http://202.153.35.133:23566/1401uk22/W7VM1/1/0/0/
http://202.153.35.133:23611/1401uk22/W7VM1/41/7/3/

Then also contacted

http://dizajnstudiomis.com/components/com_users/listd.pdf
http://kangaroovn.com/css/listd.pdf

At which point a new file was downloaded and run:

C:\Users\user\AppData\Local\LdgeuRniELJBROO.exe – VirusTotal Report / Malwr Report
SHA256: d5e99f3c86e3d026554bc50632e26149cb3ad481bfcc53ca006995961187994f

Which then seemed to made these requests:

https://46.165.250.11:4443/1401uk2/W7VM1_W617601.4CCAA335E39EE28EAC993DDBA058FC97/0/Win_7_SP1_32bit/1087/my.ip.here/
https://195.154.241.47/1401uk2/W7VM1_W617601.4CCAA335E39EE28EAC993DDBA058FC97/5/wg32/my.ip.here/

46.165.250.11 Host rdns “hosted-by.leaseweb.com”:
HTTPS certificate generated 24th December 2014 (normally, see the previous similar malware below, certificates are created within a day of the spam run!).

inetnum: 46.165.250.0 – 46.165.251.255
netname: NETDIRECT-NET
descr: Leaseweb Germany GmbH (previously netdirekt e. K.)
remarks: INFRA-AW

195.154.241.47 Host rdns “maxided-1011.gate02-1.fr.theideahosting.net”:
HTTPS certificate generated 8th Jan 2015.

inetnum: 195.154.128.0 – 195.154.255.255
netname: FR-ILIAD-ENTREPRISES-CUSTOMERS
descr: Iliad Entreprises Customers
country: FR

Unlike the previous similar malware of this family that I’ve seen this version also used the above url scheme to steal cookies.

It also did something else unusual and made the following requests multiple times and continued to do so regularly:

https://cowpuncher.drollette.com/netdb/i2pseeds.su3
https://cowpuncher.drollette.com/netdb/
https://reseed.i2p-projekt.de/i2pseeds.su3

Looks possibly like part of a DDoS attack? Or use of some sort of ToR like proxy service to hide traffic.

A lot of UDP traffic seems to be randomly generated on source and destination ports to the following hosts:

109.173.124.172 – Russian cable broadband connection
194.67.121.195 – Institute of Spectroscopy, Russian Academy of Science
84.10.39.162 – Polish broadband connection
93.81.73.203 – Russian broadband connection
97.87.49.54 – USA broadband connection
94.242.252.200 – Lithuanian hosting company
188.65.66.81 – Russian broadband connection
5.228.13.22 – Russian cable broadband connection
79.172.18.18 – Russian broadband connection
5.141.86.224 – Russian broadband connection
82.190.145.234 – Italian broadband connection
92.100.100.220 – Russian broadband connection
115.43.212.247 – Tiwan broadband connection
91.202.25.97 – Russian broadband connection

Possibly some kind of p2p CnC ? Heavy Russian connections.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to “Payment Advice – Advice Ref:[GB580659] / CHAPS credits” Spam with Virus

  1. Pingback: “Payment Advice – Advice Ref:[GB813730] / CHAPS credits” Spam / Virus | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s