Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Tuesday, October 04, 2011

Spamvertised "NACHA security nitification" Serving Malware - Historical OSINT

The following intelligence brief will offer historical OSINT on the "NACHA security nitification" -- the typo is intentionally left as this is how the original campaign was spamvertised -- malware campaign.

Spamvertised body:
Dear Valued Client,We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions:-(ID: 13104924)-(ID: 04804768)-(ID: 37527025)-(ID: 51633547)initiated from your bank account by you or any other person, who might have access to your account.Detailed report on initiated transactions and reasons for cancellation can be found in the attachment.
--------------------------------------------------------------------------------------------
The ACH transaction (ID: 83612541), recently sent from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
###############################################
Canceled transaction
Transaction ID: 83612541
Reason of rejection See details in the report below
Transaction Report report_1409.pdf.zip (ZIP archive, Adobe PDF)
###############################################
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2011 NACHA - The Electronic Payments Association

Spamvertised attachments: report_1409.pdf.zip; Report-8764.zip

Detection rate:
Report-8764.exe - Gen:Trojan.Heur.FU.bqW@amtJU@oi - 39/43 (90.7%)
MD5 : 7c131fa05e01fc32d8f4efe53aa883d1
SHA1 : 14d52d76dd7ccc595554486027634bf8c9877036
SHA256: 1ad11c1193f0dbcae3766e5cb4094acc137c10430d615e55470cbc41ce6cd03a

Upon execution the sample phones back to:
onemoretimehi.ru/piety.exe - 188.65.208.59; 178.208.91.192 - Email: admin@onemoretimehi.ru
onemoretimehi.ru/ftp/g.php

piety.exe - MD5: 4bd87ecc4423f0bc15e229ecbf33aa2c
onemoretimehi.ru/tops.exe - MD5: f076dbc365ec7bfc438ad3c728702122; 86c7489ac539a0b57a4d075e723075f0

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Summarizing ZDNet's Zero Day Posts for September

The following is a brief summary of all of my posts at ZDNet's Zero Day for September. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Spamvertised 'Facebook notification' leads to exploits and malware
02. Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers
03. Microsoft themed ransomware variant spotted in the wild
04. 'Man in wheelchair falls down the elevator shaft' scam spreading on Facebook
05. New ransomware variant uses false child porn accusations
06. Russian Embassy in London hit by a DDoS attack
07. uTorrent.com hacked, serving scareware
08. Bank of Melbourne Twitter account hacked, spreading phishing links
09. Malicious spam campaigns proliferating
10. Spamvertised 'We are going to sue you' emails lead to malware
11. XSS bug in Skype for iPhone, iPad allows address book theft
12. Researcher releases details on 6 SCADA vulnerabilities
13. DIY botnet kit spotted in the wild
14. New Mac OS X trojan poses as malicious PDF file
15. Survey: 60 percent of users use the same password across more than one of their online accounts

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Wednesday, September 28, 2011

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification.

_Uniform Traffic Tickets

Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip

Detection rates:
Ticket.exe - Gen:Trojan.Heur.FU.bqW@aK9ebrii - Detection rate: 37/43 (86.0%)
MD5   : 6361d4a40485345c18473f3c6b4b6609
SHA1 : 50b09bb2e0044aa139a84c2e445a56f01d70c185
SHA256: ca67a14bfed2a7bc2ac8be9c01cb17d5da12b75320b4bad4fe8d8a6759ad9725

Ticket1.exe - Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8%)
MD5   : e2a2d67b8a52ae655f92779bec296676
SHA1 : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf
SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f73f8e16d1364c7fd021a90cc

Upon execution the samples phone back to:
sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the same IP is also survey-providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru
rattsillis.com/ftp/g.php - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com
rattsillis.com/pusk3.exe - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com

DNS emulation of ns1.lemanbrostm.info reveals two domains belidiskalom.com - 178.208.76.175 - Email: admin@belidiskalom.com and lemanbrostm.info - Email: coz@yahoo.com using the same name server.

Known MD5 modifications for pusk3.exe at rattsillis.com:
c6dab856705b5dfd09b2adbe10701b05
f167213c6a79f2313995e80a8ac29939
f4764cce5c3795b1d63a299a5329d2e2
dae9e7653573478a6b41a62f7cb99c12
69c983c9dfaf37e346004c9aaf54a3d0
d875b8e32a231405c7fa96b810e9b361
628270c6e44b0fa21ef8e87c6bc36f57
9b69dabd876e967bcd2eb85465175e3b
0434c084dba8626df980c7974d5728e1

Related binaries and associated MD5 modifications:
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0
rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 3ea4e9fd297b3058ebbb360c1581aaac;
rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62f7cb99c12; b73705c097c9be9779730d801ad098e0; d7952c1e77d7bb250cdfa88e157fb5a8

Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf

sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; ebf7278a7239378e7d70d426779962ce
sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a
sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561ed91e77b4

sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8

Detection rate for blood.exe:
blood.exe - Trojan-Spy.Win32.Zbot - 25/44 (56.8%)
MD5   : 577cf0b7ca3d5bcbe35764024f241fa8
SHA1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791
SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18

_FDIC Notification

Spamvertised attachments: FDIC_Document.zip

Detection rate:FDIC_Document.exe - Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5%)

MD5 : 7b5a271c58c6bb18d79cd48353127ff6

SHA1 : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a

SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0

Upon execution phones back to:
rattsillis.com/ftp/g.php
rattsillis.com/blood.exe
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0

What's particularly interesting is the fact that both campaigns have been launched by the same cybercriminal, with the same C&C - rattsillis.com also seen in the spamvertised ACH Payment Canceled campaign.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

_FDIC Notification

Spamvertised attachments: FDIC_Document.zip

Detection rate:FDIC_Document.exe - Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5%)

MD5 : 7b5a271c58c6bb18d79cd48353127ff6

SHA1 : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a

SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0

Dancho Danchev

Tuesday, September 27, 2011

Summarizing ZDNet's Zero Day Posts for August

The following is a brief summary of all of my posts at ZDNet's Zero Day for August. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Study: Rootkits target pirated copies of Windows XP
02. 56 percent of enterprise users using vulnerable Adobe Reader plugins
03. New malware attack circulating on Facebook
04. Kaspersky: 12 different vulnerabilities detected on every PC
05. Spamvertised Uniform traffic tickets and invoices lead to malware
06. Latest version of Skype susceptible to malicious code injection flaw
07. Spamvertised 'Scan from a Xerox WorkCentre Pro' leads to malware
08. Malware Watch: FDIC and Western Union themed emails lead to malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Sunday, September 11, 2011

Summarizing 3 Years of Research Into Cyber Jihad

On this very special day, I'd like to honor the fallen by summarizing my research into cyber jihad, a topic I'm still highly passionate about. Enjoy and share it with your social circle!

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev