2018-03-05 - BOLETO MESTRE CAMPAIGN
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the email: 2018-03-05-Boleto-Mestre-malspam-1549-UTC.eml.zip 56.9 kB (56,910 bytes)
- Zip archive of the infection traffic: 2018-03-05-Boleto-Mestre-infection-traffic.pcap.zip 2.6 MB (2,599,836 bytes)
- Zip archive of the PDF attachment and downloaded VBS file: 2018-03-05-Boleto-Mestre-PDF-attachment-and-downloaded-VBS-file.zip 56.7 kB (56,737 bytes)
- Zip archive of the associated malware and artifacts: 2018-03-05-malware-from-Boleto-Mestre-infection.zip 3.7 MB (3,703,033 bytes)
NOTES:
- This is a long-running campaign I first documented in the Summer of 2016.
- To better understand today's data, see my Unit 42 blog from December 2017 titled, Master Channel: The Boleto Mestre Campaign Targets Brazil.
- I haven't personally run across it for a few months, but it's definitely been active since I last wrote about it.
- Domain names and IP addresses have changed since then, but otherwise, the activity patterns remain the same.
Shown above: Updated flowchart based on the original Unit 42 blog.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- bp5zihoz.uqokc7hovdk4pg19wxnwcmtjejjzeumo[.]site
- envioautomatico.evnvlr8mr7k2etbyklxslegdimv8kj1e[.]site
- hxxps[:]//www.sendspace[.]com/pro/dl/ik96f7
- hxxp[:]//65.181.125[.]161/2018a/aw7.tiff
- hxxp[:]//65.181.125[.]161/2018a/w7.zip
- hxxp[:]//65.181.125[.]161/2018a/dll.dll
- www.b3llavit4[.]top
- ssl.topzer4[.]top
EMAILS
Shown above: Screenshot from the email.
EMAIL INFO:
- Received: from envioautomatico[.]site ([217.61.98[.]150])
- Date: Mon, 5 Mar 2018 16:49:29 +0100 (CET)
- Message-ID: <20180305155642.E509A6F698@envioautomatico[.]site>
- From: Boleto [recipient's name] <sender@envioautomatico[.]site>
- Subject: Entrega de Boleto - URGENTE - [recipient's name]
- Attachment name: 050320180000000007674121136183718811.pdf
- Link in the email: hxxp[:]//bp5zihoz.uqokc7hovdk4pg19wxnwcmtjejjzeumo[.]site/X5xoOB.php?X5xoOB=bp5ZihOZ[recipient's name]
Shown above: The PDF attachment, and it's link for the VBS file.
TRAFFIC
Shown above: Infection traffic filtered in Wireshark.
TRAFFIC TO DOWNLOAD THE INITIAL VBS FILE FROM LINK IN THE EMAIL:
- 65.181.125.162 port 80 - bp5zihoz.uqokc7hovdk4pg19wxnwcmtjejjzeumo[.]site - GET /X5xoOB.php?X5xoOB=bp5ZihOZ[recipient's name]
- port 443 - www.sendspace[.]com - GET /pro/dl/ik96f7
- port 443 - fs05n5.sendspace[.]com - Final HTTPS request to retrieve the initial VBS file
POST-INFETION TRAFFIC AFTER RUNNING THE VBS FILE:
- 65.181.125[.]161 port 80 - 65.181.125[.]161 - GET /2018a/aw7.tiff
- 65.181.125[.]161 port 80 - 65.181.125[.]161 - GET /2018a/dll.dll
- 65.181.125[.]161 port 80 - www.b3llavit4[.]top - GET /avs/index.php?[various info for the infected Windows host]
- 65.181.125[.]161 port 80 - www.b3llavit4[.]top - GET /2018/index.php?[info for the IRC channel]
- 65.181.113[.]87 port 443 - ssl.topzer4[.]top - unencrypted IRC traffic
FILE HASHES
MALWARE ASSOCIATED WITH THIS INFECTION:
- SHA256 hash: 52ff0ac4bc5a92fdba5d38d00fed589043cee0f4dd43faadc8baec3f2f71ca79
File size: 58,537 bytes
File name: 050320180000000007674121136183718811.pdf
File description: PDF attachment from the malspam
- SHA256 hash: 26744818ed3607f8a0f8b2cd7c6d9fb2c666560240ee8d6b3b3f0dc10a54c270
File size: 22,574 bytes
File name: 50320180000000007674121136183718811.vbs
File description: ownloaded VBS file after clicking link in the email or the PDF attachment
NOTES:
- Several other artifacts in the malware archive; however, these are either
1) legitimate system files being used for malicious purposes or
2) script-based files that can easily change each infection.
- See today's malware archive for more items.
IMAGES
Shown above: Same type of IRC botnet traffic that we saw last year, just on a different domain now.
Click here to return to the main page.