Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 10/04/11

Tuesday, October 04, 2011

Spamvertised "NACHA security nitification" Serving Malware - Historical OSINT

The following intelligence brief will offer historical OSINT on the "NACHA security nitification" -- the typo is intentionally left as this is how the original campaign was spamvertised -- malware campaign.

Spamvertised body:
Dear Valued Client,We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions:-(ID: 13104924)-(ID: 04804768)-(ID: 37527025)-(ID: 51633547)initiated from your bank account by you or any other person, who might have access to your account.Detailed report on initiated transactions and reasons for cancellation can be found in the attachment.
--------------------------------------------------------------------------------------------
The ACH transaction (ID: 83612541), recently sent from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
###############################################
Canceled transaction
Transaction ID: 83612541
Reason of rejection See details in the report below
Transaction Report report_1409.pdf.zip (ZIP archive, Adobe PDF)
###############################################
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association

Spamvertised attachments: report_1409.pdf.zip; Report-8764.zip

Detection rate:
Report-8764.exe - Gen:Trojan.Heur.FU.bqW@amtJU@oi - 39/43 (90.7%)
MD5 : 7c131fa05e01fc32d8f4efe53aa883d1
SHA1 : 14d52d76dd7ccc595554486027634bf8c9877036
SHA256: 1ad11c1193f0dbcae3766e5cb4094acc137c10430d615e55470cbc41ce6cd03a

Upon execution the sample phones back to:
onemoretimehi.ru/piety.exe - 188.65.208.59; 178.208.91.192 - Email: admin@onemoretimehi.ru
onemoretimehi.ru/ftp/g.php

piety.exe - MD5: 4bd87ecc4423f0bc15e229ecbf33aa2c
onemoretimehi.ru/tops.exe - MD5: f076dbc365ec7bfc438ad3c728702122; 86c7489ac539a0b57a4d075e723075f0

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Summarizing ZDNet's Zero Day Posts for September

The following is a brief summary of all of my posts at ZDNet's Zero Day for September. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Spamvertised 'Facebook notification' leads to exploits and malware
02. Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers
03. Microsoft themed ransomware variant spotted in the wild
04. 'Man in wheelchair falls down the elevator shaft' scam spreading on Facebook
05. New ransomware variant uses false child porn accusations
06. Russian Embassy in London hit by a DDoS attack
07. uTorrent.com hacked, serving scareware
08. Bank of Melbourne Twitter account hacked, spreading phishing links
09. Malicious spam campaigns proliferating
10. Spamvertised 'We are going to sue you' emails lead to malware
11. XSS bug in Skype for iPhone, iPad allows address book theft
12. Researcher releases details on 6 SCADA vulnerabilities
13. DIY botnet kit spotted in the wild
14. New Mac OS X trojan poses as malicious PDF file
15. Survey: 60 percent of users use the same password across more than one of their online accounts

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev