Last Updated: 2015-08-27 09:02:52 UTC
by Didier Stevens (Version: 1)
I received another example of a PDF file that contains a malicious MS Office document. Sample (MD5 0c044fd59cc6ccc28a48937bc69cc0c4).
This time I want to focus on the analysis of such a sample.
First we run pdfid to identify the sample.
So let's take a look at the embedded file with pdf-parser. We use option -H to get more info on the streams (the embedded file), like the hashes.
The embedded file is most likely a ZIP file (magic number PK). Looking at object 9, we see that the name is 2.docm.
The .docm file format indicates that it is a MS Office Word document with VBA macros. We can extract it and analyze it with oledump. Here we do this with a pipe, e.g. without writing the .docm file to disk. We dump the embedded file to stdout (-d -) and pipe it into oledump which analyses it with the vba plugin.
Last Updated: 2015-08-26 02:40:22 UTC
by Brad Duncan (Version: 1)
Last week, we saw the group behind a significant amount of Angler exploit kit (EK) switch to Neutrino EK . We didn't know if the change was permanent, and I also noted that criminal groups using EKs have quickly changed tactics in the past. This week, the group is back to Angler EK.
The past few days, I've noticed several examples Angler EK pushing TeslaCrypt 2.0 ransomware. For today's diary, we'll look at four examples of Angler EK on Tuesday 2015-08-25 from 16:42 to 18:24 UTC. All examples delivered the same sample of TeslaCrypt 2.0 ransomware.
TeslaCrypt is a recent family of ransomware that first appeared early this year. It's been known to mimic CryptoLocker, and we've seen it use the names TelsaCrypt and AlphaCrypt in previous infections [2, 3, 4]. According to Kaspersky Lab, version 2.0 of TeslaCrypt uses the same type of decrypt instructions as CryptoWall . At first glance, an infected Windows host may look like it has CryptoWall; however, artifacts and traffic from the infected host reveal this is actually TeslaCrypt.
Kafeine from Malware Don't Need Coffee first tweeted about the new ransomware on 2015-07-13 . The next day on Securelist.com, Kaspersky Lab released details on this most recent version of TeslaCrypt .
I saw my first sample of TeslaCrypt 2.0 sent from Nuclear EK on 2015-07-20 . Most TeslaCrypt 2.0 samples we've run across since then were delivered by Angler EK; however, we haven't seen a great deal of it. Until recently, most of the ransomware delivered by Angler EK was CryptoWall 3.0. By Tuesday 2015-08-25, we only saw Angler deliver TeslaCrypt 2.0.
Angler EK traffic
Websites compromised by this actor have the same style of injected code we saw last week; however, this time the iframes pointed to Angler EK. In most cases, the iframe led directly to the Angler EK landing page. In some cases, there is a gate (redirect) URL before getting to Angler.
Looking at the traffic in Wireshark, we find two different IPs and four different domains from the four Angler infections during a 1 hour and 42 minute time span.
- 2015-08-25 16:42 UTC - 188.8.131.52 - prism0.housevaluesinmiami.com
- 2015-08-25 17:09 UTC - 184.108.40.206 - sowrite-capitalleser.housevaluesinmiami.com
- 2015-08-25 17:32 UTC - 220.127.116.11 - mhsc-tuffsteins.housevaluesinmiamibeach.com
- 2015-08-25 18:24 UTC - 18.104.22.168 - 1muthuletchm.housevaluesinsouthbeach.com
See the images below for details.
Preliminary malware analysis
The malware payload was the same file for each infection. Although Angler EK sends its payload encrypted, I was able to grab a decrypted copy from an infected host before it deleted itself.
- File name: 2015-08-25-Angler-EK-payload-TeslaCrypt-2.0.exe
- File size: 346.9 KB (355,239 bytes)
- MD5 hash: 4321192c28109be890decfa5657fb3b3
- SHA1 hash: 352f81f9f7c1dcdb5dbfe9bee0faa82edba043b9
- SHA256 hash: 838f89a2eead1cfdf066010c6862005cd3ae15cf8dc5190848b564352c412cfa
- Detection ratio: 3 / 49
- First submission: 2015-08-25 19:51:01 UTC
- Virus Total analysis: link
- Malwr.com analysis: link
- Hybrid-Analysis.com analysis: link
The following post-infection traffic was seen from the four infected hosts:
- ipinfo.io - TCP port 80 (http) - IP address check
- 22.214.171.124 - TCP port 80 (http) - ledshoppen.nl - post-infection callback
- 126.96.36.199 - TCP port 80 (http) - www.micropiso.cl - post-infection callback
Malwr.com's analysis of the payload reveals additional IP addresses and hosts:
- 188.8.131.52 - TCP port 80 (http) - shmetterheath.ru
- 184.108.40.206 - TCP port 80 (http) - fgainterests.com
- 220.127.116.11 - TCP port 80 (http) - serenitynowbooksandgifts.com
- 18.104.22.168 - TCP port 80 (http) - www.serenitynowbooksandgifts.com
- 22.214.171.124 - TCP port 443 (encrypted) - kb63vhjuk3wh4ex7.onion.to
- 126.96.36.199 - TCP port 443 (encrypted) - kb63vhjuk3wh4ex7.tor2web.org
Snort-based alerts on the traffic
I played back the pcap on Security Onion using Suricata with the EmergingThreats (ET) and ET Pro rule sets. The results show alerts for Angler EK and AlphaCrypt. The AlphaCrypt alerts triggered on callback traffic from TeslaCrypt 2.0. See the image below for details.
Screen shots from an infected host
On the same cloned host with the same malware, we saw a different URL for the decrypt instructions each time. Every infection resulted in a different bitcoin address for the ransom payment, even though it was the same sample infecting the same cloned host.
We continue to see EKs used by this and other criminal groups to spread malware. Although we haven't seen as much CryptoWall this week, the situation could easily change in a few days time.
Traffic and malware for this diary are listed below:
- A zip archive of four pcap files with the infection traffic from Tuesday 2015-08-25 is available here. (4.14 MB)
- A zip archive of the malware and other artifacts is available here. (957 KB)
The zip archive for the malware is password-protected with the standard password. If you don't know it, email firstname.lastname@example.org and ask.