Myfax malspam wave with links to malware and Neutrino exploit kit, (Wed, Jun 3rd)

Introduction

As early as Wednesday2015-05-27, there have been more waves of malicious spam (malspam) spoofing myfax.com. On Tuesday 2015-06-02, the messages contained links to a zip archive ofa Pony downloader. Tuesdaysmessages also had links pushingNeutrinoexploit kit (EK). Spoofed myfax emails are nothing new. Theyve been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day.

Background

Earlier on 2015-06-02, @Techhelplistcomtweeted aboutmyfaxmalspamhed found [1], and he posted links from these emails to pastebin[2]. ” />

I noticedsimilar messages last week, but they were all blocked. At that time,I wasnt able to investigate any further. On 2015-06-02, checkingmy employers spam filters revealed spoofed myfax”>Below is an example of the messages blocked by my organization” />
Shown above: myfax-themed”>The aboveexample shows 2 types of”>URLs. The firstpointsto a zip file. The second points toURLs ending in fax.php that pushNeutrino EK. Last weeks”>Shown above:myfax-themedmalspamfrom Thursday,”>In a lab environment,those links ending with fax.php returned HTML with iframes”>Unfortunately,I wasnt able to generate any Neutrino EK traffic. The domain names for the Neutrino URLs didn”>We saw the following fax.php URLsfrom the malspam:”>www.faura-casas.com – GET /wp-content/plugins/feedweb_data/fax.php”>We also found the following URLs for zip files from the malspam:

  • sv.com.vn – GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip
  • edenika.net – GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • edujay.com – GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • eciusda.org – GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • nightskyhotel.com – GET /wp-content/plugins/feedweb_data/incoming_myfax_doc.zip
  • sciclubtermeeuganee.it – GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip
  • serenityonthesquare.com – GET /wp-content/plugins/cached_data/pdf_efax_message_3537462.zip
  • vanepcanhcuong.com – GET /modules/mod_vvisit_counter/images/digit_counter/embwhite/pdf_efax_message_3537462.zip
  • www.ditta-argentiero.it – GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip

Here” />
Click on the above image for a full-size view

Indicators of compromise (IOC) from the infection traffic:

  • 112.78.2.223 – nightskyhotel.com – GET /wp-content/plugins/feedweb_data/incoming_myfax_doc.zip HTTP/1.1
  • 78.136.221.141 – moskalvtumane.com POST /gate.php HTTP/1.0
  • 94.73.151.210 – mechgag.com – GET /wp-content/plugins/feedweb_data/k1.exe HTTP/1.0
  • 87.250.250.8 – yandex.ru – GET / HTTP/1.1
  • 93.158.134.3 – www.yandex.ru – GET / HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /confk.jpg HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /ki.exe HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /ki.exe HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com- POST /gate.php HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /confk.jpg HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /ki.exe HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /ki.exe HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – POST /gate.php HTTP/1.1
  • 213.152.181.66 – dortwindfayer.com – GET /confk.jpg HTTP/1.1

The imagebelow shows Emerging Threats-based Snort events on the infection traffic using Security Onion. The eventsindicate a Fareit/Pony downloaderinfectedthe labhost with Graftor” />

A sample of the Pony downloader was submitted to malwr.com at:https://malwr.com/analysis/ODExOWNlY2Y4N2QwNDhkNmE4YmFkODc2ODA3NzlkNDI/

A sample of the follow-up malware was also submitted to malwr.com at:https://malwr.com/analysis/OTc4MWY3OTdmZDZkNGYxMGJhNGRkMDAzOThlNmQ1NmI/

Post-infection traffic contains HTTP GET requests for a small image file with an image of Marlon Brandofrom the Godfather movies. Matthew Mesafound” />

The image contains some ASCII text for the last 1.4 KB or so of the file, which indicates”>-artifacts.zip

The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

Special thanks to Techhelplist and Matthew Mesa for their Twitterposts aboutthis activity. Techhelplistalso updated his blog entryabout fake myfax emails with this recentinformation [4].


Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] https://twitter.com/Techhelplistcom/status/605765844258287618
[2] http://pastebin.com/0WXz209K
[3] http://pastebin.com/x6U940wj
[4]https://techhelplist.com/index.php/spam-list/125-inbound-fax-fake-myfax-notification

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin