2018-02-08 - RETURN OF QUANT LOADER: MALSPAM USING PDF FILES TRIES A NEW TACTIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcaps:  2018-02-08-Quant-Loader-infection-2-pcaps.zip   598.3 kB (598,333 bytes)

• 2018-02-08-Quant-Loader-infection-1st-run.pcap   (548,205 bytes) - Windows 7 host
• 2018-02-08-Quant-Loader-infection-2nd-run.pcap   (505,636 bytes) - Windows 10 host

• Zip archive of the emails and malware:  2018-02-08-Quant-Loader-emails-and-malware.zip   290.3 kB (290,345 bytes)

• 08.02.2018.doc   (188,928 bytes)
• 08.02.2018_251910.pdf   (17,207 bytes)
• 08.02.2018_7719830.pdf   (17,175 bytes)
• 2018-02-08-malspam-1454-UTC.eml   (1,329 bytes)
• 2018-02-08-malspam-1517-UTC.eml   (1,338 bytes)
• rozabich8.exe   (231,688 bytes)

NOTES:

• This blog post represents a continuation of malspam based on this ISC diary I wrote yesterday.
• Today, this campaign is using links in the emails to PDF files hosted on Google Drive, instead of attaching the PDF files directly to the emails like before.
• There's also an added step on the final end, because the Word macro installed Quant Loader, and Quant Loader should've retrieved a final payload.
• Yesterday, the payload was GandCrab ransomware.  Before that, it was Dridex.
• I figure the final payload today should've been either Dridex or more GandCrab ransomware.
• If I'm reading the post-infection traffic right, Quant Loader is now at version 1.61.

Shown above:  Flow chart of today's events.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• hxxps[:]//drive.google[.]com/uc?export=download&confirm=no_antivirus&id=1EmxYn6VbGv2Wo7_NsPYzToW4cJl5cBGg
• hxxps[:]//drive.google[.]com/uc?export=download&confirm=no_antivirus&id=1RmYl0txR26lL0d_AUr47d5jEHFXtrlfI
• hinenreb[.]com
• pertalted[.]com
• myothow[.]com
• fortresmuch[.]com

 

EMAILS

Shown above:  Screenshot of an email (1 of 2).

 

Shown above:  Screenshot of an email (2 of 2).

 

MALSPAM INFO FROM TWO EMAILS:

• Date:  Thursday, 2018-02-08 at 14:54 UTC
• Subject:  Emailing: SCAN_0802_2D8628369
• Message-ID:  <228F3AEB.FA6CEC90@gmail[.]com>
• From:  "Pete" <Rocky76214887lime@gmail[.]com>
• Link:  hxxps[:]//drive.google[.]com/uc?export=download&confirm=no_antivirus&id=1EmxYn6VbGv2Wo7_NsPYzToW4cJl5cBGg

• Date:  Thursday, 2018-02-08 at 15:17 UTC
• Subject:  Emailing: SCAN_0802_CDD519818
• Message-ID:  <E61E1F99.C54C70C6@gmail[.]com>
• From:  "Jadegrizzle" <Gwendolyn7244624000f@gmail[.]com>
• Link:  hxxps[:]//drive.google[.]com/uc?export=download&confirm=no_antivirus&id=1RmYl0txR26lL0d_AUr47d5jEHFXtrlfI

 

Shown above:  Link from the email.

 

Shown above:  The downloaded PDF file.

 

Shown above:  The downloaded Word document--have to bypass protected mode.

 

Shown above:  Then you have to enable macros to get infected.

 

TRAFFIC

Shown above:  Infection traffic from the Windows 10 host filtered in Wireshark.

 

Shown above:  Alerts from Sguil on the infection traffic in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

TRAFFIC AFTER DOWNLOADING PDF FILE FROM GOOGLE DRIVE:

• 119.28.111[.]49 port 80 - hinenreb[.]com - GET /docs/08.02.2018.doc
• 119.28.111[.]49 port 80 - pertalted[.]com - GET /p66/yutg5
• 119.28.111[.]49 port 80 - myothow[.]com - GET /q2/index.php?id=[8 digits]&c=1&mk=75490e&il=H&vr=1.61&bt=64
• 119.28.111[.]49 port 80 - fortresmuch[.]com - GET /q2/index.php?id=[8 digits]&c=1&mk=75490e&il=H&vr=1.61&bt=64

 

MALWARE

PDF FILES FROM GOOGLE DRIVE LINKS IN THE EMAILS:

• SHA256 hash:  9eb58a022870a50b9a73cb3d8a694aebe854d5a1fbe96c5bd39713f264bdff1e
  File size:  17,207 bytes
  File name:  08.02.2018_251910.pdf
  File location:  hxxps[:]//drive.google[.]com/uc?export=download&confirm=no_antivirus&id=1EmxYn6VbGv2Wo7_NsPYzToW4cJl5cBGg

• SHA256 hash:  a827463e2afb610b2646e3b352eb3b73d7c5326bd1939a452c1a7aa9ed8ba6d5
  File size:  17,175 bytes
  File name:  08.02.2018_7719830.pdf
  File location:  hxxps[:]//drive.google[.]com/uc?export=download&confirm=no_antivirus&id=1RmYl0txR26lL0d_AUr47d5jEHFXtrlfI

DOWNLOADED WORD DOCUMENT LINKED FROM PDF FILES:

• SHA256 hash:  41412224883362c677fc683f855ea8c96a5787b863665b609c6f7207f058e67c
  File size:  188,928 bytes
  File name:  08.02.2018.doc
  File location:  C:\Users\[username]\AppData\Local\Temp\rozabich8.exe
  File location:  C:\Users\[username]\AppData\Roaming\[random digits]\dwm.exe

QUANT LOADER RETRIEVED BY WORD DOCUMENT MACRO:

• SHA256 hash:  565f882d1cf9af2cbbd0dec4b6de027f56081debcf489915dfcfeb680ef5a78a
  File size:  231,688 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\rozabich8.exe
  File location:  C:\Users\[username]\AppData\Roaming\[random digits]\dwm.exe

 

POST-INFECTION FORENSICS

Shown above:  Quant Loader executable retrieved by the Word document macro.

 

Shown above:  Registry key and location of Quant Loader for persistence on the infected Windows 10 host.

 

Click here to return to the main page.