Last Updated: 2017-02-18 01:44:14 UTC
by Brad Duncan (Version: 1)
It's been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor . Back then, we saw Hancitor use Pony to download Vawtrak malware. Since then, I've seen indicators for this type of malspam on a near-daily basis.
Recently, these emails have stopped leading to Vawtrak. Instead, I'm now seeing malware that triggers alerts for Terdot.A [2, 3, 4, 5, 6, 7]. Tools from my employer identify this malware as DELoader, and a Google search indicates Terdot.A and DELoader are the same thing.
For now, I'm keeping my flow chart open on the final malware. With that in mind, let's take a look at some infection traffic generated on Thursday 2017-02-09 based on one of these emails.
These emails generally have different subject lines each day, and they have spoofed sending addresses. The example I saw on 2017-02-09 was a fake message about a money transfer. It's similar to a wave of malspam seen the day before.
- Date: Thursday, 2017-02-09 16:05 UTC
- Received: from polsinelli.com [spoofed host name]
- Message-ID: <879081B3.F4FA76CC@polsinelli.com>
- From: "Polsinelli LLP" <firstname.lastname@example.org> [spoofed sender]
- Subject: RE:RE: wife tf
The link from the email contains a base64-encoded string representing the recipient's email address. Based on that string, the downloaded file will have the recipient's name from the email address. I used a base64 string for a made-up email address and received a file named bofa_statement_marci.jones.doc.
The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described as Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. At first, I thought Pony was retrieving the DELoader malware; however, another researcher told me it's Hancitor that grabs DELoader. I haven't had time to investigate; however, I probably need to update my flowchart.
Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony malspam reported I've seen during the past week or two.
Alerts show post-infection traffic for Terdot.A/Zloader, which is consistent with recent infections I've seen for malware identified as DELoader.
Indicators of Compromise (IOCs)
Email link noted on Thursday 2017-02-09 to download the Hancitor Word document:
- 18.104.22.168 port 80 - www.jasa.adv.br - GET /api/get.php?id=[base64 string]
Traffic after enabling macros on the Word document:
- api.ipify.org - GET / [IP address check]
- 22.214.171.124 port 80 - hadrylego.com - POST /ls5/forum.php [Hancitor callback]
- 126.96.36.199 port 80 - hadrylego.com - POST /klu/forum.php [Hancitor callback]
- 188.8.131.52 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/1 [call for Pony DLL]
- 184.108.40.206 port 80 - main-meats.com - GET /1 [call for Pony DLL]
- 220.127.116.11 port 80 - patsypie.com - GET /wp-content/themes/sketch/1 [call for Pony DLL]
- 18.104.22.168 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/a1 [call for DELoader]
- 22.214.171.124 port 80 - main-meats.com - GET /a1 [call for DELoader]
- 126.96.36.199 port 80 - patsypie.com - GET /wp-content/themes/sketch/a1 [call for DELoader]
- 188.8.131.52 port 80 - ughtoftritret.ru - POST /bdk/gate.php [DELoader callback]
Associated file hashes:
- SHA256 hash: 82d4b6676bbff17626aba1a65a9c6ec10ab036c101c8dc5e6e697693ec5a013f
- File size: 181,248 bytes
- Description: Word document from link to www.jasa.adv.br
- SHA256 hash: d2c79954335b579309957c22b1b7976359fd067691626f8beb99779143edaa69
- File size: 257,024 bytes
- Description: Terdot.A/DELoader
As this campaign progresses, IOCs will continue to change, and I'm sure traffic patterns will continue to evolve.
Pcap and malware for this diary can be found here.
brad [at] malware-traffic-analysis.net