Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware

Introduction

This is a follow-up to a previous diary from last month on malicious spam (malspam) distributing password-protected Word docs with malicious macros designed to infect vulnerable Windows computers with ransomware.

Details

Today, I found five examples of malspam with password-protected Word docs using 1234 as the password.  The Word doc had a malicious macro that retrieved AZORult malware.  The AZORult malware conducted callback traffic, then the infected host retrieved Hermes ransomware.


Shown above:  Screen shot of a malspam example from today (1 of 2).


Shown above:  Screen shot of a malspam example from today (2 of 2).


Shown above:  Opening the password-protected Word doc on a Windows host.


Shown above:  After entering the password, a victim must enable macros.


Shown above:  Traffic from an infection filtered in Wireshark.


Shown above:  Desktop of an infected Windows host.

Indicators

Malspam information from 5 email samples: 

  • Date:  Wednesday 2018-08-15
  • Received: from  180connection.org ([46.161.42.24])
  • Received: from  10000tables.org ([46.161.42.9])
  • Received: from  160h.com ([46.161.42.21])
  • Received: from  135798.com ([46.161.42.18])
  • Received: from  whygavs.net ([46.161.42.20])
  • From:  Karan Fabiano =?UTF-8?B?wqA=?= <billing@180connection.org>
  • From:  Eloisa Liechty =?UTF-8?B?wqA=?= <ticket@10000tables.org>
  • From:  "Edgar Blanding =?UTF-8?B?wqA=?=" <mail@160h.com>
  • From:  "Jackqueline Wroblewski =?UTF-8?B?wqA=?=" <admin@135798.com>
  • From:  "Toni Cerulli =?UTF-8?B?wqA=?=" <help@whygavs.net>
  • Subject:  Invoice Due
  • Attachment name:  Invoice.doc

Network traffic:

  • 209.141.59.124 port 80 - 209.141.59.124 - GET /azo.exe
  • 149.129.216.194 port 80 - briancobert.com - POST /index.php (AZORult traffic)
  • 149.129.216.194 port 80 - briancobert.com - POST /index.php (AZORult traffic)
  • 209.141.59.124 port 80 - 209.141.59.124 - GET /hrms.exe

Associated malware:

Contact info from the decryption instructions:

  • primary email:  4234234fdssdfdsaf@tutanota.com 
  • reserve email:  decryptsupport1@cock.li 

Final words

As usual, properly-administered and up-to-date Windows hosts are not likely to get infected.  System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Pcap and malware associated with today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Brad

310 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!