Last Updated: 2018-07-28 03:20:35 UTC
by Rick Wanner (Version: 1)
With the latest Sextortion campaign still in the wild, a couple of us at the ISC decided to try to follow the money. Starting very early in the campaign, we started collecting Bitcoin addresses from the sextortion emails and, using the blockchain.com API Didier used in his diary, all it took was a simple script to be able to monitor payments coming into the BTC addresses associated with this campaign. Initially I was just interested in how long after the campaign began would the bad guys move the money out of these addresses, but it soon became obvious there was much more to be gleaned from this data.
Within a couple of days, we were able to cobble together nearly 20 BTC addresses to monitor. We were happy with that. Then contacts far and near bought into the project and it took on a life of its own to the point where are now monitoring 334 BTC Addresses that we are reasonably confident are part of this campaign.
What sort of things has the monitoring revealed?
~17% - percentage of the BTC addresses with payments. (56 out of 334)
123 – number of payments received on the 56 BTC addresses with payments.
~$235,000 USD - Total value of all the payments stored in the 56 BTC Addresses. The 334 addresses we are tracking are thought to be an insignificant subset of those involved in the campaign, so the overall value of this campaign will be many times higher.
9 – Most number of payments on one BTC address. While most BTC addresses have zero or one payment, there is definitely BTC address reuse in the campaign.
~$1900 USD – average payment.
~$700 USD – lowest payment. (I did see one campaign email requesting $600 USD)
~$4900 – highest payment
$0 – amount of money the bad guys have moved out of these addresses. (although there appears to be a double payment and a refund on one address)
This campaign started a little over two weeks ago (July 10th), and the bad guys still haven’t collected the money. Campaign emails, and payments appear to have slowed substantially, so maybe soon. With the amount of press this sextortion campaign has gotten I believe the bad guys will soon reach the point of diminishing returns.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Last Updated: 2018-07-27 18:17:39 UTC
by Brad Duncan (Version: 1)
Malicious spam (malspam) with password-protected Word docs continues to be an issue. Here's a recent password-protected Word doc that shows a 0 / 59 detection rate in VirusTotal as I write this: SHA256 hash 4e5f6a6e8c073828af55c830fad5ce7496313083f42f5bc655c90a9a1314cbb2. This type of malspam was recently seen from emails with sending addresses ending in anjanabro.com. Today's diary reviews an example from Thursday 2018-07-26.
After successfully opening the attached Word document and enabling macros, I only saw one HTTP request that returned a malware binary. This was Hermes ransomware, and it didn't generate any post-infection traffic. It merely encrypted my lab host's files, then it presented an HTML file with instructions on how to pay the ransom and email the criminals.
Indicators for this infection
SHA256 hash: 4e5f6a6e8c073828af55c830fad5ce7496313083f42f5bc655c90a9a1314cbb2
File description: Password-protected Word doc with macro to retrieve malware
SHA256 hash: 8dcde14308b6a7edff44fa2ac0aa2e672104db6d35f37ac93452944323468e5e
File description: Follow-up malware - Hermes ransomware
Network traffic: hxxp://18.104.22.168/green.exe
Emails from the decryption instructions:
- Primary email: email@example.com
- Reserve email: firstname.lastname@example.org
As usual, properly-administered and up-to-date Windows hosts are not likely to get infected. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
A pcap of the infection traffic and associated malware for today's diary can be found here.
brad [at] malware-traffic-analysis.net