2017-04-18 - ZEUS PANDA BANKER, KOVTER AND MIUREF INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-04-18-Zeus-Panda-Banker-and-Kovter-and-Miuref-infection-traffic-5-pcaps.zip   12.2 MB (12,162,657 bytes)
• 2017-04-18-USPS-malspam-tracker.csv.zip   2.4 kB (2,401 bytes)
• 2017-04-18-USPS-themed-emails-and-associated-malware.zip   938.9 kB (938,930 bytes)

 

Shown above:  Flowchart for this infection traffic.

 

EMAILS

Shown above:  Example of the emails seen today.

 

DATES/TIMES:

• Tuesday 2017-04-18 as early as 13:36 UTC through at least 20:17 UTC

EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):

• "USPS Delivery" <jwiaati02728@scatterdesign[.]com>
• "USPS Delivery" <rojuy8725726@kell-online[.]nl>
• "USPS Express Delivery" <bu231@anti-daunatori[.]ro>
• "USPS Express Delivery" <cazultu062250@gpanagopoulos[.]com>
• "USPS Ground Support" <gicuridu8681412@progressivebusinesstechnologytraining[.]com>
• "USPS Ground Support" <isohos1387@scmgroup-usa[.]com>
• "USPS Ground Support" <w612270@ifremmont[.]com>
• "USPS Ground" <cgpud28502@san[.]co[.]uk>
• "USPS Ground" <dtezotyc58380@oaeyewear[.]com>
• "USPS Ground" <ezrahaz763008@frankies[.]us>
• "USPS Ground" <irxyijt18112730@visitpalmyra[.]com>
• "USPS Ground" <kbcp35135257@furrypad[.]com>
• "USPS Ground" <n3207@bullmountainortho[.]com>
• "USPS Ground" <oaeekde21435047@paperdrummachinery[.]com>
• "USPS Ground" <qijyi1016310@axiom-cro[.]com>
• "USPS Parcels Delivery" <eenzy3152575@newluxmi[.]com>
• "USPS Parcels Delivery" <y1606467@abs.amity[.]edu>
• "USPS Priority Delivery" <yccawije4@hyundai[.]com>
• "USPS Priority Parcels" <deiain115@thefarraghers[.]net>
• "USPS Priority Parcels" <jorir2887130@editoraantiqua[.]com[.]br>
• "USPS Priority" <btofjyn10524524@ispesl[.]it>
• "USPS Priority" <femouuk456@opusenergy[.]com>
• "USPS Priority" <owyduma0467345@intuitrx[.]com>
• "USPS Priority" <pyefevo5@first-club[.]ru>
• "USPS SameDay" <uuzuii77@openbusiness[.]com>
• "USPS Support Management" <elu18626710@brycewalther[.]com>
• "USPS Support" <fziffiy16116884@wave[.]com>
• "USPS Support" <kxetr33304212@ballstars[.]com[.]ve>
• "USPS TechConnect" <jux416547@apartment-18[.]com>
• "USPS TechConnect" <mtumazob025752@aquatek[.]co[.]kr>
• "USPS TechConnect" <onay60884831@bruningenterprises[.]com>
• "USPS TechConnect" <pojififu133@alidi[.]ru>
• "USPS TechConnect" <s484@villagio[.]com>

EXAMPLES OF SUBJECT LINES:

• ATTENTION REQUIRED: TROUBLE WITH YOUR ORDER
• AUTOMATED letter regarding your package's location
• AUTOMATED letter: moneyback information
• AUTOMATED notice regarding your order's location
• AUTOMATED notice: moneyback info
• AUTOMATED notification concerning your parcel's location
• AUTOMATED USPS EMAIL CONCERNING YOUR SHIPMENT
• AUTOMATED USPS letter: your shipment has been delayed
• AUTOMATIC statement in regards to your order's status
• AUTOMATIC USPS statement: your order has been postponed
• IMPORTANT: notice of delay of your shipment
• Major issues reported to the USPS customer support team
• Official letter from USPS
• Official notification from USPS
• OFFICIAL USPS MONEYBACK INFORMATION
• OFFICIAL USPS MONEYBACK INFORMATION REGARDING YOUR PACKAGE
• OFFICIAL USPS REFUND INFO IN REGARDS TO YOUR SHIPMENT
• PROMPT ACTION NEEDED: your parcel's been delayed
• PROMPT ATTENTION NEEDED: your shipment's been delayed
• PROMPT ATTENTION REQUIRED: your package's been delayed
• Serious issues reported to the USPS
• Serious trouble reported to the USPS
• URGENT USPS customer support notice
• URGENT USPS MONEYBACK INFORMATION
• URGENT USPS REFUND INFO CONCERNING YOUR ORDER
• URGENT USPS REFUND INFORMATION CONCERNING YOUR ORDER
• URGENT: notification of postponement of your parcel
• USPS OFFICIAL NOTIFICATION concerning your item
• USPS URGENT LETTER concerning your shipment
• USPS URGENT LETTER in regards to your parcel
• WARNING: INFORMATION ABOUT YOUR IMPENDING REFUND
• WARNING: ISSUES WITH YOUR SHIPMENT

 

TRAFFIC

Shown above:  Fake Word online site sends an executable file (Zeus Panda Banker).

 

Shown above:  Fake Word online site sends a zip archive containing a .js file (JavaScript to load Zeus Panda Banker, Kovter, and Miuref/Boaxxe).

 

Shown above:  Traffic from an infection where the fake Word online site sends an executable.

 

Shown above:  Alerts from an infection where the fake Word online site sends an executable.

 

Shown above:  Traffic from an infection where the fake Word online site sends a zipped .js file.

 

Shown above:  Alerts from an infection where the fake Word online site sends a zipped .js file.

 

LINKS FROM THE EMAILS:

• crashcourses-cornwall[.]co[.]uk - GET /khvuuaim/sitemap.html
• crashcourses-plymouth[.]co[.]uk - GET /wmxgawimh/sitemap.html
• drkizim[.]ru - GET /components/com_k2/views/latest/tmpl/sitemap.html
• leosrg[.]com - GET /sitemap.html
• printcroydon[.]co[.]uk - GET /sitemap.html
• restoranvolk[.]ru - GET /netcat/modules/routing/admin/views/sitemap.html
• www.esoterik-lenormand[.]com - GET /1efde54fea.html
• www.alokorkuevi[.]com - GET /wp-content/uploads/2017/04/5a71c8c436.html
• www.autocare[.]co[.]th - GET /e2162c5e1e.html
• www.blog.polishproperty[.]eu - GET /wp-content/e2162c5e1e.html
• www.btcoinc[.]com - GET /wp-content/uploads/5a71c8c436.html
• www.esoterik-lenormand[.]com - GET /1efde54fea.html
• www.gelateriapolo[.]it - GET /36d07a8583.html
• www.ichinose-flowershop[.]com - GET /89bd4f76cb.html
• www.mavimor[.]com - GET /b5374d/5c20b6e42a.html
• www.nacnpac[.]com - GET /viva/templates/dc8b4b6561.html
• www.nejatdelijan[.]ir - GET /images/29029a0e01.html
• www.ninusha[.]com - GET /ariogwzq/29029a0e01.html
• www.roscoesolutions[.]com - GET /wp-content/uploads/4be713567e.html

 

REDIRECTS LEADING TO FAKE WORD ONLINE PAGES:

• maildeliverys[.]com - GET /tds
• senddeliverys[.]com - GET /tds

 

FAKE WORD ONLINE PAGES AND MALWARE DOWNLOADS:

• answer-photo[.]com - GET /libraries/vendor/joomla/event/counter/1.htm
  answer-photo[.]com - GET /libraries/vendor/joomla/event/counter/plugin_office_update_KB093211.exe   - or -
  answer-photo[.]com - GET /libraries/vendor/joomla/event/counter/plugin_office_update_KB093211.zip

• bettermannow[.]com - GET /wp-content/counter/1.htm
  bettermannow[.]com - GET /wp-content/counter/plugin_office_update_KB093211.exe   - or -
  bettermannow[.]com - GET /wp-content/counter/plugin_office_update_KB093211.zip

• mattsfotoalbum[.]de - GET /cache/counter/1.htm
  mattsfotoalbum[.]de - GET /cache/counter/plugin_office_update_KB093211.exe   - or -
  mattsfotoalbum[.]de - GET /cache/counter/plugin_office_update_KB093211.zip

 

PARTIALS URLS FROM THE .JS FILES FOR ADDITIONAL MALWARE (AND PROBABLY OTHER FAKE WORD ONLINE SITES):

• answer-photo[.]com - GET /libraries/vendor/joomla/event/counter
• avtotur[.]com - GET /libraries/vendor/ircmaxell/password-compat/counter
• joelmaes[.]be - GET /administrator/components/com_cpanel/views/counter
• kerkhof-opgrimbie[.]be - GET /administrator/components/com_customfilters/models/counter
• krasnozerskoje[.]ru - GET /libraries/fof/less/counter
• metalmedal[.]hu - GET /administrator/components/com_finder/tables/counter
• miadmar[.]ro - GET /templates/beez5/html/com_content/counter
• muco-interieur[.]be - GET /administrator/components/com_linkr/tables/counter
• publieuropa[.]com - GET /libraries/rokcommon/Doctrine/Node/counter
• royalhotelgrenoble[.]com - GET /old/wp-content/themes/booster/counter

 

FILE HASHES

EXAMPLE OF ZIP ARCHIVE FROM FAKE WORD ONLINE SITE:

• SHA256 hash:  0a5961c48edac47106e410b325c416f8908624f6a14276b8a5a2a8eafd76bece
  File size:   6,254 bytes (contains a .js file and two other garbage files)
  File name:  plugin_office_update_KB093211.zip

 

EXTRACTED .JS FILE FROM THE ABOVE ZIP ARCHIVE:

• SHA256 hash:  62c29230858f51a827ed85f790f2505597c951a288b958d1f271d3d8fb876426
  File size:   1,549 bytes
  File name:  plugin_office_update_KB093211.js

 

EXAMPLES OF MALWARE DOWNLOADED BY THE EXTRACTED .JS FILE:

• SHA256 hash:  58860062c9844377987d22826eb17d9130dceaa7f0fa68ec9d44dfa435d6ded4
  File size:   372,736 bytes
  File name:  exe1.exe
  File description:  Zeus Panda Banker

• SHA256 hash:  c7448fbf0618c9e0eaa5c2787a01e316e28be81dff1d584d9c9ef62a47d4f393
  File size:   420,803 bytes
  File name:  exe2.exe
  File description:  Kovter

• SHA256 hash:  ce9b28f8c7fc544b188292014b3807f4d14257f0a3b850f5949450932c6e6484
  File size:   117,561 bytes
  File name:  exe3.exe
  File description:  Miuref/Boaxxe

 

EXAMPLE OF EXECUTABLE FROM FAKE WORD ONLINE SITE:

• SHA256 hash:  58860062c9844377987d22826eb17d9130dceaa7f0fa68ec9d44dfa435d6ded4
  File size:   372,736 bytes
  File name:  plugin_office_update_KB093211.exe
  File description:  Zeus Panda Banker (same hash as exe1.exe from the .js-based infection)

 

Click here to return to the main page.