As promised, this would be a pretty short historical OSINT post — catching up is in progress — detailing the structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on the connection with historical malware campaigns profiled on my personal blog.
Campaigns of notice include: spamvertised “Celebrities death-themed emails“, “Fedex shipment status themed invoices“, and “Office-themed documents“.
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip
Detection rates, phone back URLs, and connections with previously profiled campaigns:
– news.exe – Trojan.Bredolab-993 – 40/ 43 (93.0%)
– journal club articles.exe – Backdoor/Bredolab.edb – 41/ 43 (95.3%)
Upon execution, the samples phone back to:
22.214.171.124 /mrmun_sgjlgdsjrthrtwg.exe – AS42473 – DOWN
126.96.36.199 /outlook.exe – AS48691 – ACTIVE
– outlook.exe – TrojanSpy:Win32/Fitmu.A – 17/ 43 (39.5%)
Upon execution, the dropped sample phones back to:
cuscuss.com – 188.8.131.52 – Email: firstname.lastname@example.org
Responding to 184.108.40.206 at AS42473 are also:
wiggete.com – Email: email@example.com
depenam.com – Email: firstname.lastname@example.org
fishum.com – Email: email@example.com
blackry.com – Email: firstname.lastname@example.org
Two of the domains are know to have been serving client-side exploits, but the redirection is currently returning an error “Connect to 220.127.116.11 on port 80 … failed“.
– depenam .com/count22.php
– blackry .com/count21.php
– vseohuenno .com/trans/b3/ – 18.104.22.168 – Email: email@example.com
Responding to 22.214.171.124, AS24940 are also the following command and control, client-side exploit serving domains:
gurgamer.com – (New IP: 126.96.36.199) Email: firstname.lastname@example.org
moneybeerers.com – Email: email@example.com
daeshnew.com – (New IP: 188.8.131.52) Email: firstname.lastname@example.org
volosatyhren.com – Email: email@example.com
vyebyvglaz.com – Email: firstname.lastname@example.org
– FedexInvoice_EE776129.exe – Win32/Oficla.LK – 41/ 43 (95.3%)
Upon execution, the sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= – 184.108.40.206, AS39150 – Email: email@example.com with x5vsm5.ru – Email: firstname.lastname@example.org also parked there.
Where do we know the email@example.com email from? From two previously profiled campaigns “Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns“; and “Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign” having a direct relationship with the Asprox botnet.
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.