Last Updated: 2016-06-09 00:11:10 UTC
by Brad Duncan (Version: 1)
About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware. Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day. This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware.
I haven't found much discussion about the current absence of Dridex/Locky malspam. Since the actor(s) behind Dridex started distributing Locky in back in February 2016 , I can't recall any lengthy absence of this malspam.
Shown above: Have others noticed a lull in Dridex/Locky? 
Of course, other campaigns are ongoing, so I figure it's time to review other examples of malspam. These campaigns are somewhat harder to find than Dridex/Locky malspam, but they're certainly out there.
However, my field of view is limited, and I can only report on what I'm seeing. With that in mind, this diary reviews two examples of malspam I found on Wednesday 2016-06-08.
Our first example was sent to one of the ISC handlers' email aliases. This example has a zipped .js file attachment.
Running the extracted .js file on a Windows host generated plenty of HTTP traffic.
I saw plenty of artifacts on the infected host, and at least one of the items appears to be Andromeda, based on alerts seen when I played back a pcap of the traffic in Security Onion using Suricata with the ETPRO ruleset.
The Snort subscriber ruleset also generated alerts on the same traffic that triggered Andromeda hits with the ETPRO ruleset.
Our second example is Brazilian malspam in Portuguese sent to a different email address. Instead of an attachment, this one has a link to download the malware.
The link from the malspam redirected to malware hosted on 4shared.com.
Here's what the HTTP traffic looked like from the infected host:
In addition to the HTTP traffic, I saw IRC activity on TCP port 443 from the infected host to a server on ssl.houselannister.top at 220.127.116.11.
Of note, the hostname/username for my infected Windows host in this pcap is a throwaway. Also, the IP address listed in the IRC channel is not the actual IP address of my infected host.
Alerts from this traffic show a Mikey variant, and this infection apparently added my Windows host to a botnet.
Indicators of compromise (IOC) - first example
Domain used for the initial malware download by the .js file:
- 18.104.22.168 port 80 - www.owifdsferger.net
- 22.214.171.124 port 80 - www.dorimelds.at
- 126.96.36.199 port 80 - www.opaosdfdksdfd.ro
- 188.8.131.52 port 80 - www.brusasport.com
Post infection traffic that triggered alerts for Andromeda malware:
- 184.108.40.206 port 80 - secure.adnxs.metalsystems.it - POST /new_and/state.php
Other HTTP traffic during this infection:
- 220.127.116.11 port 80 - antoniocaroli.it - GET /prova/sd/Lnoort.exe
- 18.104.22.168 port 80 - www.antoniocaroli.it - GET /prova/sd/Lnoort.exe
- 22.214.171.124 port 80 - antoniocaroli.it - GET /prova/sd/romeo.exe
- 126.96.36.199 port 80 - www.antoniocaroli.it - GET /prova/sd/romeo.exe
- 188.8.131.52 port 80 - www.amicimusica.ud.it - GET /audio/js.mod
- 184.108.40.206 port 80 - 220.127.116.11 - GET /js/calc.pack
- 18.104.22.168 port 80 - statcollector.at - GET /statfiles/pz/ft.so
- 22.214.171.124 port 2352 - Attempted TCP connection to dop.premiocastelloacaja.com
- 126.96.36.199 port 80 - goyanok.at - HTTP POST triggered alert for Ursnif variant
Indicators of compromise (IOC) - second example
Traffic to retrieve the initial malware:
- 188.8.131.52 port 80 - www.grupoc4.top - GET /m.php?id=[name]
- NOTE: See the pcap for the URL from 4shared.com hosting the initial malware
- 184.108.40.206 port 80 - www.ruthless.sexy - Callback from the infected host
- 220.127.116.11 port 80 - lol.devyatinskiy.ru - Callback from the infected host
- 18.104.22.168 port 80 - api.devyatinskiy.ru - Callback from the infected host
- 22.214.171.124 port 80 - 126.96.36.199 - GET /fix.dll
- 188.8.131.52 port 443 - attempted TCP connections to imestre.cheddarmcmelt.top
- 184.108.40.206 port 443 - IRC traffic to ssl.houselannister.top
Malspam is a pretty low-level threat, in my opinion. Most people recognize the malspam and will never click on the attachments or links. For those more likely to click, software restriction policies can play a role in preventing infections. And finally, people should be using properly administered Windows hosts and follow best security practices (up-to-date applications, latest OS patches, etc).
The same thing goes for Dridex/Locky malspam, which I expect will return soon enough.
But many vulnerable hosts are still out there, and enough people using those hosts are still tricked by this malspam. That's probably why malspam remains a profitable method to distribute malware.
Pcaps and malware for this ISC diary can be found here.
brad [at] malware-traffic-analysis.net