2018-10-19 - MALSPAM USING LINKS FOR ZIPPED WINDOWS SHORTCUTS TO PUSH NYMAIM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Email example: 2018-10-19-malspam-pushing-Nymaim-email-example.eml.zip   1.4 kB (1,352 bytes)

• 2018-10-19-malspam-pushing-Nymaim-email-example.eml   (2,172 bytes)

• Traffic: 2018-10-19-Nymaim-infection-traffic.pcap.zip   4.7 MB (4,698,275 bytes)

• 2018-10-19-Nymaim-infection-traffic.pcap   (5,651,077 bytes)

• Malware and artifacts: 2018-10-19-Nymaim-malware-and-artifacts.zip   5.3 MB (5,289,542 bytes)

• Resume.zip   (615 bytes)
• resume.lnk   (1,646 bytes)
• 1.hta.txt   (3,301 bytes)
• ProgramData/fbl/bubava.cbs   (975,688 bytes)
• ProgramData/fbl/ivwxurg.syn   (3,971 bytes)
• ProgramData/fbl/tqxzwp.sre   (1,748 bytes)
• ProgramData/unicode-52/unicode-60.exe   (977,920 bytes)
• Users/username/AppData/Local/isotope-46/isotope-5.exe   (1,097,728 bytes)
• Users/username/AppData/Local/Temp/cnkczp.nsc   (4,485 bytes)
• Users/username/AppData/Local/Temp/dwqrj.yxl   (2,166 bytes)
• Users/username/AppData/Local/Temp/ylsgo.yip   (974,596 bytes)
• Users/username/AppData/Roaming/KDqnaJXTf.exe   (1,409,024 bytes)
• Users/username/AppData/Roaming/shutdown-3/shutdown-42.exe   (1,138,688 bytes)

NOTES:

• This campaign has also been using password-protected Word docs to push Nymaim, much like this post I published on 2018-09-28.
• Thanks to @dvk01uk for his tweet about this most recent activity (link to tweet).
• Found 36 domains on 209.141.43[.]75 that all recirected to 185.162.130[.]150/vK6wGM to return the same malicious Resume.zip file.
• This happened when I checked using IE 11 from a Windows host, whether those domains were by themselves or part of a URL.

Shown above:  Flow chart for malspam-based Nymaim infections I've seen this month.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• 2019bracket[.]com
• 2069brackets[.]com
• activenavy[.]com
• adomesticworld[.]com
• allpurplehandling[.]com
• anilmoni[.]com
• answermanagementgroup[.]com
• antinomics[.]com
• bluestarpaymentsolutions[.]com
• boobfanclub[.]com
• borderlands3[.]com
• brickell100[.]com
• bubsware[.]com
• cactopelli[.]com
• careercoachingbusiness[.]com
• cclawsuit[.]com
• cgunited[.]com
• crosspeenpress[.]com
• crystalhotel[.]com
• dmknott[.]com
• docswitch[.]com
• expertsjourney[.]com
• farminginthefloodplain[.]com
• geziyurdu[.]com
• gloria-glowfish[.]com
• gnosmij[.]com
• gokceozagar[.]com
• greatwp[.]com
• ieltsonlinetest[.]com
• indiangirlsnude[.]com
• indicasativas[.]com
• inmotionframework[.]com
• internationalboardingandpetservicesassociation[.]com
• intimateimagery[.]com
• iptechnologysolutions[.]com
• iscanhome[.]com
• hxxp[:]//185.162.130[.]150/vK6wGM
• hxxp[:]//205.185.125[.]244/Resume.zip
• hxxp[:]//205.185.125[.]244/1.hta
• hxxp[:]//205.185.125[.]244/1.exe
• dehionsgbes[.]com

 

EMAILS

Shown above:  Screenshot on an email from this campaign.

 

EMAIL HEADERS IN TODAY'S EXAMPLE:

Received: from [176.119.6[.]23] ([176.119.6[.]23:58056] helo=toyztreasure.com)
        by [removed] (envelope-from <admin@toyztreasure[.]com>) [removed];
        Thu, 18 Oct 2018 17:15:42 -0400
Date: Thu, 18 Oct 2018 23:15:41 +0200
Subject: Job
Message-ID: <slxa2kf1m9a1oeou0z7szki3.1950423964464@toyztreasure[.]com>
From: Klara Mauger =?UTF-8?B?wqA=?= <admin@toyztreasure[.]com>
To: [removed]
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--_com.android.email_9958201417653"
Errors-To: <bouncechecker@yahoo.com>

 

Shown above:  Clicking link on one of the emails to download Resume.zip.

 

Shown above:  HTA file retrieved by the extracted Windows shortcut.

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 209.141.43[.]75 port 80 - cclawsuit[.]com - GET /hiznbyrz   (301 Moved Permanently to next HTTP request)
• 185.162.130[.]150 port 80 - 185.162.130[.]150 - GET /vK6wGM   (302 Found at next HTTP request)
• 205.185.125[.]244 port 80 - 205.185.125[.]244 - GET /Resume.zip
• 205.185.125[.]244 port 80 - 205.185.125[.]244 - GET /1.hta
• 205.185.125[.]244 port 80 - 205.185.125[.]244 - GET /1.exe
• DNS queries for microsoft[.]com
• DNS queries for dehionsgbes[.]com
• 46.238.18[.]157 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 46.238.18[.]157 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 62.100.255[.]25 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 62.100.255[.]25 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 66.181.168[.]248 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 78.40.46[.]135 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 78.40.46[.]135 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 78.96.178[.]214 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 83.148.72[.]0 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 84.2.61[.]102 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 84.255.185[.]36 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 90.180.1[.]23 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 90.180.1[.]23 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 143.208.165.41 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 151.237.80[.]80 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 151.237.80[.]80 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 176.10.200[.]227 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 176.10.200[.]227 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 176.223.180[.]238 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 176.223.180[.]238 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 188.138.148[.]150 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 188.138.148[.]150 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 188.237.190[.]24 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 188.254.168[.]239 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 188.254.168[.]239 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 200.75.227[.]139 port 80 - carfax[.]com - POST /xfi7wapy/index.php
• 200.75.227[.]139 port 80 - zepter[.]com - POST /xfi7wapy/index.php
• 212.233.221[.]45 port 80 - carfax[.]com - POST /
• 212.233.221[.]45 port 80 - carfax[.]com - POST /xfi7wapy/index.php

• NOTE: carfax[.]com and zepter[.]com are legitimate domains that are being spoofed using IP addresses based on info returned by DNS queries to dehionsgbes[.]com.

 

OTHER DOMAINS ON 209.141.43[.]75 REDIRECTING TO PUSH RESUME.ZIP FILES:

• 2019bracket[.]com
• 2069brackets[.]com
• activenavy[.]com
• adomesticworld[.]com
• allpurplehandling[.]com
• anilmoni[.]com
• answermanagementgroup[.]com
• antinomics[.]com
• bluestarpaymentsolutions[.]com
• boobfanclub[.]com
• borderlands3[.]com
• brickell100[.]com
• bubsware[.]com
• cactopelli[.]com
• careercoachingbusiness[.]com
• cclawsuit[.]com
• cgunited[.]com
• crosspeenpress[.]com
• crystalhotel[.]com
• dmknott[.]com
• docswitch[.]com
• expertsjourney[.]com
• farminginthefloodplain[.]com
• geziyurdu[.]com
• gloria-glowfish[.]com
• gnosmij[.]com
• gokceozagar[.]com
• greatwp[.]com
• ieltsonlinetest[.]com
• indiangirlsnude[.]com
• indicasativas[.]com
• inmotionframework[.]com
• internationalboardingandpetservicesassociation[.]com
• intimateimagery[.]com
• iptechnologysolutions[.]com
• iscanhome[.]com

 

FILE HASHES

INITIAL MALWARE:

• SHA256 hash: 50803886bd331d37fe5478674fa10c776370f9d80b9cc0407005380bdb39cfdd
• File size: 615 bytes
• File location: hxxp[:]//205.185.125[.]244/Resume.zip
• File description: Downloaded zip archive from the email

• SHA256 hash: fe2d3eddf1d85e51cfa756045d43cb2ba78acd225678fae098cd897b459418a2
• File size: 1,646 bytes
• File name: resume.lnk
• File description: Extracted Windows shortcut file from the downloaded zip archive

• SHA256 hash: 613736e92cdd9b6e0a5c5ef33eaf1086e79d9c1893e886d0c44e837aa19ddacd
• File size: 3,301 bytes
• File location: hxxp[:]//205.185.125[.]244/1.hta
• File description: HTML application (HTA) file retreived by Windows shortcut

• SHA256 hash: a66e0424fad62be500309e95ecd837d327b312910ed5421fb3e3b81838aea059
• File size: 1,409,024 bytes
• File location: hxxp[:]//205.185.125[.]244/1.exe
• File location: C:\Users\[username]\AppData\Roaming\KDqnaJXTf.exe
• File description: Nymaim malware retrieved by the HTA file

 

NYMAIM FOLLOW-UP BINARIES:

• SHA256 hash: b07fdc4ef1bb362b116eb41237ce5a6018427bfeb7d30f15ff26df24916a0342
• File size: 1,097,728 bytes
• File location: C:\Users\[username]\AppData\Local\isotope-46\isotope-5.exe
• Sssociated registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Value name: isotope-30
• Value Tyep: REG_SZ
• Value Data: C:\Users\[username]\AppData\Local\isotope-46\isotope-5.exe -8

• SHA256 hash: 959108510fdee1bc69a55a1df56b2a2f79812bb4f2a59c0baf25187add6b3e85
• File size: 977,920 bytes
• File location: C:\ProgramData\unicode-52\unicode-60.exe
• Sssociated registry key: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• Value name: shell
• Value Tyep: REG_SZ
• Value Data: C:\ProgramData\unicode-52\unicode-60.exe -2, explorer.exe

• SHA256 hash: 99e5617ea246cc66f82cc3fdb480d11d705e76c91a64b81aa89a36bcdc5f07ca
• File size: 1,138,688 bytes
• File location: C:\Users\[username]\AppData\Roaming\shutdown-3\shutdown-42.exe
• Sssociated shortcut: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shutdown-68.lnk
• Shortcut link: C:\Users\[username]\AppData\Roaming\shutdown-3\shutdown-42.exe -f7

• NOTE:  Names and directory paths for the Nymaim follow-up binaries are diffrent for each infection.

 

Click here to return to the main page.