Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware Campaigns

As promised, this would be a pretty short historical OSINT post -- catching up is in progress -- detailing the structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on the connection with historical malware campaigns profiled on my personal blog.

Campaigns of notice include: spamvertised "Celebrities death-themed emails", "Fedex shipment status themed invoices", and "Office-themed documents".

Sample subjects:
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout

Sample attachments:
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip

Detection rates, phone back URLs, and connections with previously profiled campaigns:
- news.exe - Trojan.Bredolab-993 - 40/ 43 (93.0%)
MD5: 44522def7cf2a42aa26f59c2ac4ced58
SHA1: 2f60531b6e33d842eba505f3c3cb81a3ff6e3e6a

- journal club articles.exe - Backdoor/Bredolab.edb - 41/ 43 (95.3%)
MD5: 72e90fd1264e731109d1b6b977b2c744
SHA1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49

Upon execution, the samples phone back to:
188.65.74.161 /mrmun_sgjlgdsjrthrtwg.exe - AS42473 - DOWN
194.28.112.3 /outlook.exe - AS48691 - ACTIVE

- outlook.exe - TrojanSpy:Win32/Fitmu.A - 17/ 43 (39.5%)
MD5: 8f4eca49b87e36daae14b8549071dece
SHA1: 1d390e9f8d6e744ead58dd6c424581419f732498

Upon execution, the dropped sample phones back to:
cuscuss.com - 188.65.74.164 - Email: info@blackry.com

Responding to 188.65.74.164 at AS42473 are also:
wiggete.com - Email: info@blackry.com
depenam.com - Email: info@blackry.com
fishum.com - Email: info@blackry.com
blackry.com - Email: info@blackry.com

Two of the domains are know to have been serving client-side exploits, but the redirection is currently returning an error "Connect to 188.40.232.254 on port 80 ... failed".

- depenam .com/count22.php
- blackry .com/count21.php
    - vseohuenno .com/trans/b3/ - 188.40.232.254 - Email: latertrans@gmail.com

Responding to 188.40.232.254, AS24940 are also the following command and control, client-side exploit serving domains:
gurgamer.com - (New IP: 86.155.172.30) Email: latertrans@gmail.com
moneybeerers.com - Email: latertrans@gmail.com
daeshnew.com - (New IP: 86.145.158.90) Email: latertrans@gmail.com
volosatyhren.com - Email: latertrans@gmail.com
vyebyvglaz.com - Email: latertrans@gmail.com
---------------------------------------------------------------------------------

- FedexInvoice_EE776129.exe - Win32/Oficla.LK - 41/ 43 (95.3%)
MD5: d4e2875127f5cbdf797de7f1417f96a7
SHA1: c2df8d8c178142ba7bee48dbf9a9f68c32a14f5e

Upon execution, the sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= - 109.196.134.44, AS39150 - Email: vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: vadim.rinatovich@yandex.ru also parked there.

Where do we know the vadim.rinatovich@yandex.ru email from? From two previously profiled campaigns "Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns"; and "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign" having a direct relationship with the Asprox botnet.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.