2018-04-09 - GRANDSOFT EK SENDS ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the infection traffic:  2018-04-09-Grandsoft-EK-sends-Zeus-Panda-Banker.pcap.zip   705 kB (704,998 bytes)

• 2018-04-09-Grandsoft-EK-sends-Zeus-Panda-Banker.pcap   845 kB (845,141 bytes)

Zip archive of the malware & artifacts:  2018-04-09-Grandsoft-EK-malware-and-artifacts.zip   276 kB (275,618 bytes)

• 2018-04-09-Grandsoft-EK-part-1-landing-page.txt   0.5 kB (530 bytes)
• 2018-04-09-Grandsoft-EK-part-2.txt   12.7 kB (12,685 bytes)
• 2018-04-09-Grandsoft-EK-part-3-dwie.hta.txt   8.0 kB (8,002 bytes)
• 2018-04-09-Grandsoft-EK-part-4-malware-payload-Zeus-Panda-Banker.exe   290 kB (290,304 bytes)

NOTES:

• Earlier today, this same campaign was using Rig exploit kit (EK) to push Gandcrab ransomware.  When I tried it, I got Grandsoft EK pushing Zeus Panda Banker.
• The domain I used to kick off this infection chain was originally reported earlier today by @Zerophage1337 on the Zerophage blog at:

• 2018-04-09 - Rig EK drops GandCrab Ransomware Via CVE-2018-4878.

• Didn't see any Flash files in this EK traffic, so I don't think today's example of Grandsoft EK used CVE-2018-4878.
• Of note, today's Grandsoft EK is using the same IP address as my previous blog about it last month on 2018-03-15.

Shown above:  Grandsoft doesn't seem to be a very "hard" exploit kit.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• biginvestprofit[.]online
• tech-bitcoin[.]com
• wxmoney[.]xyz
• ocoins[.]xyz
• leaked.cellular.coordinatorghshootingsnone[.]xyz
• hillaryzell[.]xyz

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

TRAFFIC LEADING TO GRANDSOFT EK:

• 5.135.234[.]116 port 80 - biginvestprofit[.]online - GET /
• 190.115.21[.]3 port 443 - tech-bitcoin[.]com - HTTPS traffic
• 212.237.12[.]253 port 80 - wxmoney[.]xyz - GET /fff/api/flap
• port 80 - google.com - POST /logs/fff
• 212.237.12[.]253 port 80 - ocoins[.]xyz - GET /rrr/api/3610c5abeaf931921f3c6be88229a7c3

GRANDSOFT EK:

• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /discoveriesstreaming
• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /getversionpd/1/2/3/4
• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /dwie.hta
• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /2/1280
• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /favicon.ico
• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /dwie.hta
• 62.109.4[.]135 port 80 - leaked.cellular.coordinatorghshootingsnone[.]xyz - GET /5/7922

POST-INFECTION TRAFFIC FROM ZEUS PANDA BANKER:

• DNS query for hillaryzell[.]xyz - resolved to 194.85.61[.]76 and 109.70.26[.]37
• 194.85.61[.]76 port 443 attempted TCP connections, no response from server
• 109.70.26[.]37 port 443 attempted TCP connections, no response from server

 

FILE HASHES

MALWARE PAYLOAD - ZEUS PANDA BANKER:

• SHA256 hash:  840fb3a5cf86246ce69eab1ee5228b4309470320e1f06f6f37c91dec22bdb611
  File size:  290,304 bytes
  File description:  GrandSoft EK payload: Zeus Panda Banker

Shown above:  Zeus Panda Banker made persistent on an infected Windows host.

 

Click here to return to the main page.