A javascript file – Invoice from UK

It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.

email

Email Analysis :

  • sender : Woodard.52@sunshine-yorkshire.co.uk
  • IP – extracted from the header : 130.204.206.58 – 602ad0ccae26.softphone.blizoo.bg – Blugaria
  • Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
  • No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.

Attachment:

  • Zip file with my email id : myemailid_addition_028146
  • Contains javascript : addition-7866.js

Javascript analysis:

  • Javascript seems to be incomplete and functions are not properly defined
  • only see eveal :  eval(aZRcdUoP1.split(”).reverse().join(”));
  • aZRcdUoP1 is only defined variable however it is commented out.
  • Function aZRcdUoP1.split is not defined at all.

There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious – https://www.virustotal.com/en/file/b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e/analysis/1466653302/

File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:

  • MD5: ee427a22d3a6e25251bbfb7bc3823140
  • SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
  • SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e

JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.

Final words:

The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.

Security Controls:

  • Endpoint protections – normally all corporate organiations has it
  • Changing file extensions – If for some reasons endpoints are not updated or not available on the system, a good way to make sure foreign files do not execute on the system, one can change their default application – for example an .js file on the system can be opened in notepad – can change from group policies. This will make sure any foreign/malicious javascript that managed to get into the system will open as text file which will not infect the system and notify user of a file which should not be there.
  • Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.

Ho Ho Ho – Here comes the spam/phish

Merry Christmas and Happy New Year to all !

I thought to start the new year with a blog with regards to spam from Australian Giants – Woolworths, JB HiFi, Flight Centre, Bunnings etc.

Although, we are on holidays, attackers/hackers are not. Holiday time is in fact very good time to target organisations as most of the staff are enjoying meals at home with their families while companies work with skeleton resources. Let’s analyse the emails. Following are the screenshots :

mails

Above screenshot shows Australian Vendors.

  1. Myer – Win a Myer voucher Sender : account@zepeem.com
  2. URLs in the mail

myers

Conclusion : Suspicious and seems to be phishing sites.

  1. Bunnings – Bunnings Gift Card – Bunnings0256986@relaisnautische.eu
  2. bunningsSubject of the email – %$email – likely used a automated email generator but forgot to change the subject that can look real
  3. mailed-by : shriek.relaisnautische.eu
  4. Links on the flyer are not clickable. Only link clickable is to unsubscribe and that goes to http://pss.relaisnautische.eu/ which is not active.

Conclusion – Suspicious and seems to be phishing site

  1. Woolwhorths ? – Isn’t it Woolworth – Woolwhorth8965742@ondernemingtoon.eu
  2. woolworths
  3. subject: SCRATCH & WIN – this time they made it right
  4. mailed-by: zoroastrian.ondernemingtoon.eu
  5. Links are identified as phishing my Google.
  6. Phishing link :

Conclusion – Phishing website.

Senders : Should be blocked on email filters

  1. Woolwhorth8965742@ondernemingtoon.eu
  2. Bunnings0256986@relaisnautische.eu
  3. account@zepeem.com
  4. Woolwhorths8965742@monstereigenschap.eu
  5. Woolwhorths8965742@netwerkenfonds.eu
  6. JB2519867@realiteitgoed.eu
  7. Woolwhorths0256989@bewustextreem.eu

Other links/IP addresses : Should update SIEM rules to catch any communications to these URLs. URLs can also be blocked on web filters.

  1. http://bell-news.de/ga/unsubscribe/2-1624154-36-5605-11384-5923d1a4644b2b2-c9bb0e8af2/?utf8=%E2%9C%93&confirmed=1 – 213.136.91.181
  2. http://balqjdvwrs.realiteitgoed.eu/ – 216.109.172.160
  3. http://ww41.uvqqsagwla.monstereigenschap.eu/ – 141.8.225.60
  4. http://ww41.uvqqsagwla.netwerkenfonds.eu/ – 141.8.225.60
  5. http://play.mobistos.com/lpx/MayoS93HF2?aff=ck-lll&reqid=731155943&oid=7230&s1=209491|83 – 82.94.216.105
  6. http://balqjdvwrsi.znhpslrnpk.bewustextreem.eu/track?e=02bj5CbpFWbnBkcv1WdohGdpdHZyVmbP&m=18764400&l=0. 63.250.4.10
  7. http://uvqqsagwla.bewustextreem.eu/ –  63.250.4.10

Final words :

  1. Similar links were used for other emails. Based on the HTTP objects extracted from all can only see png files. No executable or javascript noted.
  2. All emails have one country in common as sender – Germany.
  3. Unsubscribing goes to PO Box 1960 #22445 Wilmington, DE 19899
  4. The phishing attempt seems to be generic and concentrating on just getting private information from a user especially email addresses.
  5. No attempts of malware dropping identified from the links.

Understand that organisations should be on a lookout for any usage of its Brand name to deceive users to provide personal information. As users trusts these organisations, it’s organisation’s responsibility to have proper brand monitoring placed or outsourced so phishing campaigns using their names can be identified and controlled.

Security awareness for all users is also important to make sure not click on unsolicited emails.

Happy 2016!!!!

A interesting email – FROM field empty

Received a interesting email yesterday from Mr. Gordon Hills from London who wanted me to be partner and 5 Million dollars will be released to me. Sometimes does feel like someone should give me money 🙂

se emailheader

The email seems to be a template and this could be a broadcast on the internet. Interesting to see that sender email is hidden. The technique is not new but still is being used. There are lot of anonymous email services that cane b used to do the same. Looked through the header and was able to find the originating IP as 104.47.100.221 –  mail-ma1ind01hn0221.outbound.protection.outlook.com. The IP is blacklisted on multiple sites.
When we hit reply the email is suppose to go to masterkey728@gmail.com. From the header originating IP for the email is 116.203.77.238 which is again blacklisted in spamhaus.
The email has no attachments or URL. The attempt likely is to collect personal information for further follow-up campaign.

Associated IP :

104.47.100.221
116.203.77.238

Blacklisting :
http://www.ipvoid.com/scan/116.203.77.238/ – This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef as per spamhaus cbl.

http://www.ipvoid.com/scan/104.47.100.221/ – a known spamer – http://www.dnsbl.manitu.net/lookup.php?language=en&value=104.47.100.221

Westpac Spam and an approach to STIX language

In my previous post regarding Westpac phishing mail, I mentioned associated domain and IP address.

Recently, I am diving into the threat intelligence and especially how to share information about my finding with the rest of the world beside the blog.

I ventured into understanding STIX – Structured Threat Intelligence Expression and below is my first attempt to write a small snippet.

<stix:Observables cybox_major_version=”1″ cybox_minor_version=”1″>
<cybox:Observable id = “mkioc1”>
<cybox:Object id = “IP address”>
<cybox:Properties xsi:type = “AddressObject:AddressObjectType” category = “ipv4-addr”>
<AddressObject:Address_Value>197.232.31.99</AddressObject:Address_value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>

I will be writing a bot more about STIX and importance of sharing threat intelligence in later posts.

Westpac spam email – You have new notification

Malicious or spam emails are frequent but one of the best ways to get a system/host infected.

Recently I received an email from one of the Big 4 banks of Australia – Westpac.

Very first thing was I am not a customer so definitely it was a phishing scam.

Actual Email

email headerswestpac email

Actual email is a bit unprofessional. The URL is ending with Bankingx. Email is coming from west-pac@bbodyregistry.com.
Looking at the email headers the originating IP address is 41.57.96.54. Email headers also shows the email came from IP 197.232.31.99. Geo location of both IP address is Kenya.

Virustotal results : https://www.virustotal.com/en/ip-address/41.57.96.54/information/
IP Address does have few malicious URL’s detected previously.

Clicking on the URL in the email it re-directs to http://antoniahallcommunications.com/referrer/. The site is identified as Phishing attack by Google Chrome.

chrome phishing .

So disabled the phishing and Malware protection from the browser settings and access the site again. No signatures were triggered on Security Onion Snort. Received following response :

tcp stream The site resolves to 198.46.82.80 – ehub36.webhostinghub.com – a free webhosting.

The site actually belongs to Antonia Hall a publicist.

Below are the IOC’s:

197.232.31.99
41.57.96.54
bbodyregistry.com

Conclusion :

I did not find anything malicious besides this being a unsuccessful attempts for a user to click on a link. Also, the URL is not accessible anymore.

An email from UN – attachment ATM_CARD_1.doc – IRREVOCABLE PAYMENT ORDER VIA ATM CARD

Received an email from UN@ – no email domain on the sender list and that’s why my email identified as spam.

email from UN

Attachment was a doc file – ATM_CARD_1.doc – Checked various websites (malwr.com, virustotal, shodun) but no information about mentioned DOC file.

MD5 : 2134a6afb12a5a2bcdd77b09e43a8e29 – not reported.

Uploaded the file on virustotal but did not find any hits – https://www.virustotal.com/en/file/058767db41be4365c137dfd2ed857e86211c724a3037c561f7a9d0f994e6c829/analysis/1443706261/

Exiftool output

xifTool Version Number : 8.60
File Name : ATM_CARD__1_.doc
Directory : .
File Size : 86 kB
File Modification Date/Time : 2015:10:01 13:01:39+00:00
File Permissions : rw-r—–
File Type : DOC
MIME Type : application/msword
Author : FullNameHere
Template : Normal
Last Modified By : SONY
Revision Number : 2
Software : Microsoft Office Word
Total Edit Time : 2.0 minutes
Last Printed : 2010:11:24 17:52:00
Create Date : 2015:09:28 02:38:00
Modify Date : 2015:09:28 02:38:00
Pages : 1
Words : 436
Characters : 2491
Security : None
Company : OrgHome
Lines : 20
Paragraphs : 5
Char Count With Spaces : 2922
App Version : 12.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts :
Heading Pairs : Title, 1
Code Page : Windows Latin 1 (Western European)
Hyperlinks : http://www.yahoo.com/_ylt=AkJ_84uMIDD6A0cgsAd.wbubvZx4;_ylu=X3oDMTNoamk4OG9oBGEDMTAwODE3IFNFRyBzaGluZSBpZGVudGl0eSB0aGVmdCB0BGNwb3MDMwRnA2lkLTM2MjMyBGludGwDdXMEcGtndgM4BHBvcwMxBHNlYwN0ZC1mZWF0BHNsawNpbWFnZQRzbHBvcwNGBHRlc3QDNzAx/SIG=13ip2d9rl/EXP=1282263418/**http%3A/shine.yahoo.com/event/financiallyfit/13-things-an-identity-thief-wont-tell-you-2299277/, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF
Comp Obj User Type Len : 39
Comp Obj User Type : Microsoft Office Word 97-2003 Document

Last modified by seems interesting as it says SONY. The attachment has no links for a user to click. However, it requests personal information and informing to pay 250 K Pounds.

Email within doc : nationwbk@hotmail.com – personal email for UN 🙂
Email also had a number 0044-7010057597. Based on research the number is in london obviously but no information about a business. Likely a personal number.
http://www.searchyellowdirectory.com/reverse-phone/447010057597/

No malware found – just a social engineering attempt.

Spam are targeting most vulnerable entity in cyber world – HUMANS.

NDISPlan phishing/malware email

Based on my previous blog entry about emails I have analysed an email that was received from *@ndis.gov.au.

From the email it seems that you have received an email for a Shelby’s plan. A question to ask who is Shelby ?

File name  – Shelby-MyNDISPlan.zip – Have checked online and identified this is indeed a spam email. myonlinesecurity.co.uk/ndisplan-fake-pdf-malware

Extracted file – Shelby- MyNDISPlan.scr – yes the plan is a screensaver 🙂

Exiftool results :

ExifTool Version Number : 10.00
File Name : Shelby- MyNDISPlan.scr
Directory : .
File Size : 40 kB
File Modification Date/Time : 2015:09:22 15:46:02+10:00
File Access Date/Time : 2015:09:23 16:01:49+10:00
File Inode Change Date/Time : 2015:09:23 15:59:42+10:00
File Permissions : rw——-
File Type : Win32 EXE
File Type Extension : exe
MIME Type : application/octet-stream
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2015:03:30 09:35:32+11:00
PE Type : PE32
Linker Version : 7.10
Code Size : 11264
Initialized Data Size : 29184
Uninitialized Data Size : 0
Entry Point : 0x18ee
OS Version : 4.0
Image Version : 0.0
Subsystem Version : 4.0
Subsystem : Windows GUI
File Version Number : 1.0.146.0
Product Version Number : 1.0.146.0
File Flags Mask : 0x0000
File Flags : (none)
File OS : Win32
Object File Type : Executable application
File Subtype : 0
Language Code : Spanish (Castilian)
Character Set : Unknown (90A0)
Company Name : MonlinA Corporation
File Description : MonlinA launch tools
File Version : 7.00.146
Internal Name : monlin.EXE
Legal Copyright : В©MonlinA Corporation. All rights reserved.
Original File Name : monlin.EXE
Product Name : MonlinAВ® launch tools
Product Version : 1.00.146

This is indeed suspicious as the SCR file has an exe embedded which is monlin.exe.

Dynamic analysis files provided no communication to any external hosts or IP addresses.

Likely the file changes values within registry or a process in relation to a screensaver. Also, will try and run the EXE and see the changes.

Sandbox > https://tria.ge/220423-q1jjmsggfk/behavioral1

Identified as Upatre – https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre

Emails – The good, The bad and The ugly side

Emails – as we know is a very efficient way to communicate without physically visiting the intended recipients. Emails have been with us from many years and initial take for email was to reduce time and effort in communication.

But recently emails are being used for social engineering and phishing. Forget about the good old days where you were receiving emails only from known parties. Now even prince of Nigeria have your email and wants to give you money.

As an security researcher and a SOC analyst, have noticed that email communication is top and one of most used channel to transfer these malicious files. It’s like yelling name John in a crowd. Somebody will eventually respond.

Detecting suspicious emails ?

  1. Language  – typos and grammar will be there – sometimes they are not.
  2. Sender domain – may have typo or a legitimate one.
  3. Roll over you mouse to the embedded links in the email and you will see random site.
  4. Attachment – names are too close or suspicious.

The best way to fight this is with user awareness. Emails exploit most vulnerable entity  – HUMAN. A mind where curiosity inevitably kills the cat.

Attackers thrives on 2 human characteristics – FEAR and CURIOSITY.

  1. FEAR – we have noticed a suspicious transaction on your account. Please click on this link to change the password.
  2. CURIOSITY – sorry we have missed you and have a package waiting for you. Please open the attached file to get more information. There is package indeed but for your PC – malware I mean 🙂

Other ways to detect :

  1. Mail gateways with proper monitoring
  2. DLP – can be used to monitor the content of the email.