You Have Got a New Audio Message - Guest Diary by Pasquale Stirparo

Published: 2016-01-13
Last Updated: 2016-01-13 15:00:03 UTC
by Alex Stanford (Version: 1)
2 comment(s)

[Guest Diary by Pasquale Stirparo]

Few weeks ago we witnessed a quite significant wave of email carrying with them a zip file containing an executable.

The only common thing among all the emails was that the sender name (not the sender email address) appeared to be "Whatsapp" or "Facebook" all the times, while the subject was always referring, in different languages (and sometimes terms), that "You got a new audio (or video) message". Some of the subjects I saw are:

  • Subject: Sie haben einen Videohinweis erhalten!
  • Subject: Ein Hörbeleg ist versäumt worden!
  • Subject: Di recente, hai raccolto un avviso video
  • Subject: Du hast eine Hörakte.
  • Subject: You recently got an audible message!
  • Subject: Ein akustisches Dokument wurde bloß übergetragen

On the sample side, the extracted exe has usually the name of a person like jack.exe or brent.exe and the malware seems to be a variant of Nivdort [1](also named Bayrob in some reports), which once installed it allows backdoor access. This malware family is not new (it has been around since April 2013 [2]), but anti-virus tools were apparently lagging behind this last Nidvort email wave, and most did not provide realtime protection. However, once installed it should be still relatively easy to detect, here some indicators:

  • Once executed, it creates a random folder under C:\, where it drops several executables, also them with random alphanumeric names, e.g.:

  • It then tries to resolve about 40/50 domain names (on average), >90% of which appeared to be not registered. If not yet done, you may want to have in place some alerts when one of your clients fails so many DNS requests in a row
  • When connecting to the C2, it performs HTTP requests to /index.php

  • Do not get fooled by the eventual "404" reply you may see in your logs. The 404 reply comes with a body, which turns out to be in json format and containing Base64 encoded instructions on where to connect for the next stage

the Base64 encoded value contains the information for the next address to contact via POST request, in the previous case we can easily decode it

Incidentally this very same response, as well as the server IP to contact, appears also in the report of "f0xy" malware, a CPU miner uncovered last year by WebSense [3]. However, the two samples are completely different.

  • The malware will later upload some information about the files dropped and the email address of the victim, again base64 encoded.

In case any of you may want to try to analyze the sample, be aware that the binary will also implement some anti-debugging techniques as detected also by running Yara against the Yara Rules from the official repository [4]

I'm not sharing MD5 of the samples collected since all of them are different and would not be a much actionable information. However, you can find below a list of C2 domains which the samples tried to contact. Looking at them one may think that Nivdort does not use any DGA, instead it does use a particular DGA based on a dictionary, which makes the domains not looking random and able to bypass many DGA checks used by some filters. If you are interested to know more about it, there is a nice write up by NeutralizeThreat [5] who reverse engineered the sample and described its functionalities in details.

Happy Hunting,



C2 Domains:


Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center

2 comment(s)


Are there still mail systems out there that deliver executable attachments to their users? Even in zip files?
You'd be surprised! I faced the following case a few months ago:
Due to an issue with the delivery of an important email, some security filters were disabled on the incoming SMTP relay but they forgot to re-enable them once the problem debugged and fixed.

Diary Archives