Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - More malspam using password-protected Word docs InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More malspam using password-protected Word docs

Published: 2018-10-31
Last Updated: 2018-10-31 05:29:41 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

This diary reviews an example of malicious spam (malspam) using password-protected Word documents to distribute Nymaim on Tuesday 2018-10-30.

Background: Since March 2013, I've documented several examples of malspam using password-protected Word documents to distribute malware.  Previously, this malspam pushed various families of ransomware.  In August 2018, this malspam switched to pushing Neutrino malware.  By September 2018, this campaign started pushing Nymaim. 

Last week on 2018-10-26, this campaign briefly switched to pushing GlobeImposter ransomware, but this week it's back to pushing Nymaim.

A list of my posts about this malspam (ISC diaries or posts from malware-traffic-analysis.net) follows:

2018-03-14 - Malspam with password-protected Word docs pushes Sigma ransomware
2018-04-20 - Malspam with password-protected Word docs pushes GlobeImposter ransomware
2018-05-09 - Malspam with password-protected Word docs pushes Sigma ransomware
2018-06-04 - Malspam with password-protected Word docs pushes Gandcrab ransomware
2018-07-23 - Malspam with password-protected Word docs pushes AZORult then Hermes ransomware
2018-07-27 - Malspam with password-protected Word docs pushes Hermes ransomware
2018-08-15 - More malspam pushing password-protected Word docs for AZORult and Hermes ransomware
2018-08-21 - More malspam with password-protected Word docs, now pushing Neutrino
2018-09-06 - Malspam with password-protected Word docs pushes AZORult then Neutrino
2018-09-17 - Quick post: Malspam with password-protected Word docs pushes Nymaim
2018-09-21 - Malspam with password-protected Word docs still pushing Nymaim
2018-09-28 - More malspam with password-protected Word docs pushing Nymaim
2018-10-26 - Malspam with password-protected Word docs now pushing GlobeImposter ransomware

Now let's review my most recent infection from Tuesday evening on 2018-10-30.


Shown above:  Flow chart for infections from this malspam campaign.

Emails

The emails all have spoofed sending addresses, and recent messages are either resume-themed or invoice-themed.  The most recent emails I've seen are invoice-themed with invoice.doc as the file attachment.  These emails are currently sent from servers residing in the 176.119.6.0/24 block of IP addresses.  This block appears to be administered by MultiDC, a hosting company based in the Ukraine.  Passwords for the attached Word documents have been 1234 for several weeks now.


Shown above:  An example of malspam from this campaign.

After a victim unlocks the password-protected Word document, it shows a message asking readers to enable macros.  Macros on this Word document will download and install malware on a vulnerable Windows host.


Shown above:  An unlocked Word document waiting for its victim to enable macros.

Malware from an infected host

The Word macro retrieved a Windows executable from 209.141.60.230 and saved it to the user's AppData\Local\Temp directory as qwerty2.exe.  In this case, qwerty2.exe was Nymaim.  The malware deleted itself after follow-up Nymaim executables were installed and made persistent on the infected Windows host.


Shown above:  Initial Nymaim executable that deleted itself after the infection.


Shown above:  Follow-up Nymaim executable (1 of 3) made persistent through the Windows registry.


Shown above:  Follow-up Nymaim executable (2 of 3) also persistent through the Windows registry.


Shown above:  Follow-up Nymaim executable (3 of 3) persistent through a shortcut in the Windows Startup folder.

Network traffic

Network traffic was typical for Nymaim infections I've recently seen.  This malware spoofs legitimate domains carfax.com and zepter.com but uses different IP addresses based on DNS queries for other domains.

Nymaim uses Google DNS to query IP addresses on actual malicious domains.  In most cases, IP addresses from those DNS queries are not directly used by the infected host for spoofed traffic to carfax.com and zepter.com.  Ultimately, info returned by these Google DNS queries is used by Nymaim to calculate or determine the actual IP addresses used in its post-infection traffic.  People should understand that Carfax and Zepter are not involved with this activity.

Of note, the infected Windows host also made DNS queries through Google DNS for google.com and microsoft.com.


Shown above:  HTTP traffic from the infection filtered in Wireshark.


Shown above:  DNS traffic used by Nymaim to determine IP addresses used for spoofed traffic to carfax.com and zepter.com.

Indicators

Data on 10 malspam examples from 2018-10-27 through 2018-10-30:

  • Received: from tonnocraft.com ([176.119.6.30])
  • Received: from theductbusters.com ([176.119.6.45])
  • Received: from kafadaroto.com ([176.119.6.162])
  • Received: from parkinsonalberta.com ([176.119.6.113])
  • Received: from theultimateadventurecentre.com ([176.119.6.37])
  • Received: from font8.com ([176.119.6.233])
  • Received: from getadsb.com ([176.119.6.220])
  • Received: from madisonchevrolets.com ([176.119.6.150])
  • Received: from fatalvr.com ([176.119.6.238])
  • Received: from juegos4k.com ([176.119.6.165])
  • From: Lavera Muck =?UTF-8?B?wqA=?= <noreply@tonnocraft.com>
  • From: Kasey Rohloff =?UTF-8?B?wqA=?= <support@theductbusters.com>
  • From: Doyle Bruce =?UTF-8?B?wqA=?= <mail@kafadaroto.com>
  • From: Tamekia Ly =?UTF-8?B?wqA=?= <support@parkinsonalberta.com>
  • From: Livia Westlake =?UTF-8?B?wqA=?= <help@theultimateadventurecentre.com>
  • From: Mozelle Kalinowski =?UTF-8?B?wqA=?= <admin@font8.com>
  • From: Arminda Fortson =?UTF-8?B?wqA=?= <noreply@getadsb.com>
  • From: Alona Mcferren =?UTF-8?B?wqA=?= <admin@madisonchevrolets.com>
  • From: Shona Dyck =?UTF-8?B?wqA=?= <sale@fatalvr.com>
  • From: Livia Westlake =?UTF-8?B?wqA=?= <billing@juegos4k.com>
  • Subject: Job
  • Subject: application
  • Subject: Regarding Job
  • Subject: Hiring
  • Subject: application
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Subject: Invoice Attached
  • Attachment name: Lavera Muck   Resume.doc
  • Attachment name: Kasey Rohloff   Resume.doc
  • Attachment name: Doyle Bruce   Resume.doc
  • Attachment name: Tamekia Ly   Resume.doc
  • Attachment name: Livia Westlake   Resume.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc
  • Attachment name: invoice.doc

SHA256 hashes for the attached Word documents:

Malware on the infected Windows host:

SHA256 hash: 45e387b429e6883f12c777b6b7be1c1239dc34115d882bce98afc80e7ad4b2b6

  • File size: 1,392,640 bytes
  • File type: PE32 executable (GUI) Intel 80386, for MS Windows
  • File location: C:\Users\[username]\AppData\Local\Temp\qwerty2.exe
  • Persistence mechanism: none (deletes itself after running)
  • File description: Initial Nymaim executable downloaded by Word macro

SHA256 hash: 11b0c2732e0bcbfb6d7bbf37180344ec0b1eafd58d73fe65278b69cfb981daf1

  • File size: 982,016 bytes
  • File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • File location: C:\ProgramData\algebra-1\algebra-2.exe
  • Persistence mechanism: Windows Registry entry
  • Entry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - shell
  • Command: C:\ProgramData\algebra-1\algebra-2.exe -q2
  • File description: Nymaim malware persistent on the infected Windows host (1 of 3)

SHA256 hash: 524f22a1582a03defca57913e6a55d5989c4fc1330163efce284ec5eced983ca

  • File size: 1,068,544 bytes
  • File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • File location: C:\ProgramData\bending-51\bending-2.exe
  • Persistence mechanism: Windows Registry entry
  • Entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run - bending-5
  • Command: C:\ProgramData\bending-51\bending-2.exe -k4
  • File description: Nymaim malware persistent on the infected Windows host (2 of 3)

SHA256 hash: 8d10d226e723dd9ad8993e4710d5913078d83bae6870b61aa70bafaefbe70c49

  • File size: 982,016 bytes
  • File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
  • File location: C:\Users\[username]\AppData\Local\esbga-7\esbga-5.exe
  • Persistence mechanism: Windows shortcut in the Startup folder
  • Command: C:\Users\[username]\AppData\Local\esbga-7\esbga-5.exe -9
  • File description: Nymaim malware persistent on the infected Windows host (3 of 3)

Traffic from an infected Windows host:

  • 209.141.60.230 port 80 - 209.141.60.230 - GET /516.exe
  • 2.90.156.13 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 2.90.156.13 port 80 - carfax.com - POST /
  • 31.5.167.149 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 31.5.167.149 port 80 - carfax.com - POST /
  • 37.105.151.155 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 37.105.151.155 port 80 - carfax.com - POST /
  • 46.238.18.157 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 46.238.18.157 port 80 - carfax.com - POST /
  • 47.74.188.255 port 80 - carfax.com - POST /7pxvwbh5sm/index.php
  • 47.74.188.255 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 47.74.188.255 port 80 - carfax.com - POST /
  • 84.2.61.102 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 84.2.61.102 port 80 - carfax.com - POST /
  • 91.139.200.135 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 91.139.200.135 port 80 - carfax.com - POST /
  • 91.201.175.46 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 91.201.175.46 port 80 - carfax.com - POST /
  • 212.237.112.81 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 212.237.112.81 port 80 - carfax.com - POST /
  • 213.164.242.16 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 213.164.242.16 port 80 - carfax.com - POST /
  • 217.156.87.2 port 80 - zepter.com - POST /7pxvwbh5sm/index.php
  • 217.156.87.2 port 80 - carfax.com - POST /
  • DNS query to Google DNS for: microsoft.com
  • DNS query to Google DNS for: google.com
  • DNS query to Google DNS for: shetyiosnf.com
  • DNS query to Google DNS for: deligvsiogsd.com

Final words

Email examples, pcap, and malware associated with today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: malspam Nymaim
0 comment(s)
Diary Archives