Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware Campaigns

As promised, this would be a pretty short historical OSINT post — catching up is in progress — detailing the structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on the connection with historical malware campaigns profiled on my personal blog.

Campaigns of notice include: spamvertised “Celebrities death-themed emails“, “Fedex shipment status themed invoices“, and “Office-themed documents“.

Sample subjects:
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout

Sample attachments:
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip

Detection rates, phone back URLs, and connections with previously profiled campaigns:
news.exe – Trojan.Bredolab-993 – 40/ 43 (93.0%)
MD5: 44522def7cf2a42aa26f59c2ac4ced58
SHA1: 2f60531b6e33d842eba505f3c3cb81a3ff6e3e6a

journal club articles.exe – Backdoor/Bredolab.edb – 41/ 43 (95.3%)
MD5: 72e90fd1264e731109d1b6b977b2c744
SHA1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49

Upon execution, the samples phone back to: /mrmun_sgjlgdsjrthrtwg.exe – AS42473 – DOWN /outlook.exe – AS48691 – ACTIVE

outlook.exe – TrojanSpy:Win32/Fitmu.A – 17/ 43 (39.5%)
MD5: 8f4eca49b87e36daae14b8549071dece
SHA1: 1d390e9f8d6e744ead58dd6c424581419f732498

Upon execution, the dropped sample phones back to:
cuscuss.com – – Email: info@blackry.com

Responding to at AS42473 are also:
wiggete.com – Email: info@blackry.com
depenam.com – Email: info@blackry.com
fishum.com – Email: info@blackry.com
blackry.com – Email: info@blackry.com

Two of the domains are know to have been serving client-side exploits, but the redirection is currently returning an error “Connect to on port 80 … failed“.

depenam .com/count22.php
blackry .com/count21.php
    – vseohuenno .com/trans/b3/ – – Email: latertrans@gmail.com

Responding to, AS24940 are also the following command and control, client-side exploit serving domains:
gurgamer.com – (New IP: Email: latertrans@gmail.com
moneybeerers.com – Email: latertrans@gmail.com
daeshnew.com – (New IP: Email: latertrans@gmail.com
volosatyhren.com – Email: latertrans@gmail.com
vyebyvglaz.com – Email: latertrans@gmail.com

FedexInvoice_EE776129.exe – Win32/Oficla.LK – 41/ 43 (95.3%)
MD5: d4e2875127f5cbdf797de7f1417f96a7
SHA1: c2df8d8c178142ba7bee48dbf9a9f68c32a14f5e

Upon execution, the sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= –, AS39150 – Email: vadim.rinatovich@yandex.ru with x5vsm5.ru – Email: vadim.rinatovich@yandex.ru also parked there.

Where do we know the vadim.rinatovich@yandex.ru email from? From two previously profiled campaigns “Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns“; and “Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign” having a direct relationship with the Asprox botnet.

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *