2018-01-16 - ZEUS PANDA BANKER INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2018-01-16-Zeus-Panda-Banker-infection-traffic.pcap.zip 1.9 MB (1,872,064 bytes)
- 2018-01-16-Zeus-Panda-Banker-infection-traffic.pcap (2,007,479 bytes)
- 2018-01-16-malspam-and-malware-from-Zeus-Panda-Banker-infection.zip 222.0 kB (222,012 bytes)
- 2018-01-16-Zeus-Panda-Banker-binary.exe (12,832 bytes)
- 2018-01-16-malspam-pushing-Zeus-Panda-Banker-1253-UTC.eml (122,290 bytes)
- 2018-01-18-malspam-attachment-gennaio_sales.xls (88,576 bytes)
NOTES:
- The actual infection traffic is all HTTPS for this one.
- Others like @JAMESWT_MHT have run across it, too (link).
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:
- flavosoftorrent[.]ml
- 7AB7F6AE8747[.]tk
Shown above: Screenshot of the email.
EMAIL INFORMATION:
- Date: Tuesday, 2018-01-16 at 12:53 UTC
- Subject: bonifico gennaio
- From: srlsindaco.comune.casalvieri@tiscali[.]it
- Message-ID: <137601.616040.266526.JavaMail.email@nwhukpkg.bqggltg.fastwebnet[.]it>
- Attachment name: gennaio_sales.xls
Shown above: The email attachment with the malicious macro. Macros need to be enabled to start this infection chain
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: HTTPS URLs from the infection as seen in Fiddler web debugger.
INFECTION TRAFFIC:
- 89.18.27[.]170 port 443 (HTTPS) - flavosoftorrent[.]ml - GET /ffplug
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /Fy/582D_gxoDcj/5aHF/RIJ-btA
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /GQ3rOvt4/5uX29QVnP4X4/QA/RaKZ/C/p/-/Q/
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /dYtDSQa8l1/xe2xwxl/AKonTIFN/x/EqKOnA/
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /vKQ/1_-/U8QFA/Pf/ruZ3x5EK2Muw/
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /cvaWS/wsKk0Bl/y/PdDoQlR/e/B7GO/rg
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /ESYPk/5/Oec1/yF/UG/Ojve/nJ7P7a2iA
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /t5XiGO/1YGd7g1/eP/4Tn/eH/BnE/tO/F/pA
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /B7AtblevN1/4/4OE/8y/h9/Lsfx/IHU/fJ5K_oQ/
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /ZqSKWoceWX/-8WWzB1-KNT/oSW1ZNa2Kog/
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /Cy7vIhLA/4s/3/y8Q/N/5B/_D8aABeL/4/6RjA
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /mMU/zPm/Q6gdE/JvzqfHp9C6/uIoA
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /0C/k/ff1xHp/Se/_KPUgdrVqXtjg
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /xVNwRykMB/2/e/KL8B/hoIP/z9a/WFmEbSkpg
- 137.74.150[.]217 port 443 (HTTPS) - 7AB7F6AE8747[.]tk - POST /v6eTnoSqr/14/Kg0yR-GMDNZwFNMoiyng
MALWARE
EMAIL ATTACHMENT:
- SHA256 hash: 6dbc95b9f11dd56f557f7912fe89c71c03b2f22d52b7884a6a290f898f9b8cba
File size: 88,576 bytes
File name: gennaio_sales.xls
File description: Microsoft Excel document with malicious macro to install Zeus Panda Banker
FOLLOW-UP MALWARE:
- SHA256 hash: 3b2cc469e27aca58abc43a3eaa94dab4bee615c29f7995814e0b0a3d238f5408
File size: 312,832 bytes
File location: hxxps[:]//flavosoftorrent[.]ml/ffplug
File location: C:\Users\[username]\AppData\Local\Temp.exe
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Alerts from Sguil in Security Onion using Suricata and the
Shown above: Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.
Shown above: Registry key and associated malware persistent on an infected Windows host.
Shown above: Another example of the malware persistent on an infected Windows host.
Click here to return to the main page.