2018-04-18 - ITALIAN INVOICE (FATTURA) MALSPAM PUSHES ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the emails:  2018-04-18-Fattura-malspam-2-examples.zip   56 kB (55,504 bytes)

• 2018-04-18-Fattura-malspam-1228-UTC.eml   (86,814 bytes)
• 2018-04-18-Fattura-malspam-1232-UTC.eml   (87,042 bytes)

• Zip archive of the traffic:  2018-04-18-Fattura-malspam-pushes-Zeus-Panda-Banker-infection-traffic.pcap.zip   2.5 MB (2,504,002 bytes)

• 2018-04-18-Fattura-malspam-pushes-Zeus-Panda-Banker-infection-traffic.pcap   (2,696,677 bytes)

• Zip archive of the malware:  2018-04-18-Fattura-xls-files-and-malware.zip   260 kB (259,602 bytes)

• 2018-04-18-Zeus-Panda-Banker-caused-by-Fattura-malspam.exe   (225,792 bytes)
• Fatture_582_2018.xls   (61,440 bytes)
• Fatture_813_2018.xls   (61,440 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• librores[.]press
• CA452A2DC910[.]ga

 

EMAILS

Shown above:  Screenshot from one of the emails (1 of 2).

 

Shown above:  Screenshot from one of the emails (2 of 2).

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-04-18 as early as 12:28 UTC through at least 12:32 UTC

• Received: from modemtelecom.homenet.telecomitalia[.]it ([79.7.176[.]132])
• Received: from res-59532d.ppp.twt[.]it ([217.61.160[.]30])

• From (spoofed): " <francesco.bettasrl@tin[.]it>
• From (spoofed): " <ghidinipietroboscocommerciale@hotmail[.]it>

• Subject: Invio Fattura
• Subject: Fattura service

 

Shown above:  Malicious Excel spreadsheet attached to the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 46.19.143[.]72 port 443 - librores[.]press - GET /symte   (Powershell retrieves Zeus Panda Banker binary over HTTPS)
• 191.101.180[.]78 port 80 - CA452A2DC910[.]ga - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker

 

FILE HASHES

EMAIL ATTACHMENTS:

• SHA256 hash:  2eecef6f124f190aae4c5552a4da888de07e293dab87d5ae119ef4fca02e24d2
  File size:  61,440 bytes
  File name:  Fatture_582_2018.xls
  File description:  Excel spreadsheet with macro that retreives Zeus Panda Banker

• SHA256 hash:  f7ca0d00fc2d128df124e7fe10d0d3623639c83ec88beede888859576c0faf70
  File size:  61,440 bytes
  File name:  Fatture_813_2018.xls
  File description:  Excel spreadsheet with macro that retreives Zeus Panda Banker

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  a2a6c7555df39be1025b476a8de5eb42e96e8846bcb316e74ab6d4ae7f0cb5ee
  File size:  185,344 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

 

Click here to return to the main page.