Malspam campaign

On December 4, 2018, the TG Soft's C.R.A.M (Anti-Malware Research Center) detected a malspam campaign using vulnerability CVE-2018-0802 to target Italian users, spreading the Pony and HawkEye malware.

Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research How to send suspicious emails

INDEX

==> Malspam campaigns "December update, data analysis updated on listing"

==> Analysis of the file "Analisi dei dati per_dicembre.doc"

==> File analysis "Richiesta urgente di_docency.7z"

==> File analysis "documenti.7z"

==> IOC

==>How to identify a fake email

==> How to send suspicious emails

==> Integrate your protection with Vir.IT Lite

==> For Vir.IT eXplorer PRO users

Malspam campaigns "December update, data analysis updated on listing"

Description:
On December 4, there was a malspam campaign aimed at Italian users to spread the Pony and HawkEye malware.

The emails sent have as subject:

"Aggiornamento di dicembre, analisi dei dati aggiornata su quotazione".
[info] Aggiornamento di dicembre, analisi dei dati aggiornata su quotazione

In the picture below we can see the first email with the subject line: "Aggiornamento di dicembre, analisi dei dati aggiornata su quotazione".

The email has 2 attachments:

Analisi dei dati per_dicembre.doc
Richiesta urgente di_docency.7z

File name: Analisi dei dati per_dicembre.doc
Size: 124.282 byte
MD5: D513E433B0209D99C30C0149F66BF725
VirIT: Trojan.RTF.Dropper.BDV

File name: Richiesta urgente di_docency.7z
Size: 931.903 byte)
MD5: B7BF34E52F8F2664CE3A0FBC2E20CDEF

Instead in the picture below we can see the second email with the subject: "[info] Aggiornamento di dicembre, analisi dei dati aggiornata su quotazione."

Inside the email, in this case, we find only an attached file:

documenti.7z

File name: documenti.7z
Size: 805.767 byte
MD5: 37BB86EE0181F6B282985369F5E6EB5A

Analysis of the file " Analisi dei dati per_dicembre.doc "

The document "Analisi dei dati per_dicembre.doc" is an RTF file that contains Equation Editor vulnerability CVE-2018-0802 and a fake WMF (Windows Meta File) image.
The opening of the document looks as in the picture:

The square with black border would represent the fake image "A04MV56.wmf":
File Name: A04MV56.wmf
Size: 57.344 byte
MD5: C628EB3FC28139B1D2C4A2E42FD44109

Executing Equation Editor exploit CVE-2018-0802, will decrypt the fake "A04MV56.wmf" image in the OSE.EXE executable file in %temp%:

File Name: OSE.EXE
Size: 57.344 byte
MD5: 52F12D643D9F74583381FCA9C46EE7E5
Data di compilazione: 26/11/2018 - 18:10:16
VirIT: Trojan.Win32.Downloader.BDW

For persistence, the OSE.EXE file is put into automatic execution by creating the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
OSE = %temp%\ose.exe

The OSE.EXE file is a Trojan Downloader written in MSIL (C#) that links to the following site: https://ninta[.]pw/Ninta23.exe

from which the executable file "Ninta23.exe" is downloaded:

File Name: Ninta23.exe
Size: 270.848 byte
MD5: e3debbab5af23e219d69ac20bf0760ea
Data di compilazione: 04/12/2018 - 01:03:13
VirIT: Trojan.Win32.Pony.BDW

The file "Ninta23.exe" is saved in c:\%user%\Documents\ with the name Ninta.exe. The Ninta.exe malware belongs to the Pony password stealer family, where it sends the exfiltrated information to the command and control server:

http://cm-lagoa[.]pt/panel/gate.php

It also tries to perform the download of: http://cm-lagoa[.]pt/panel/shit.exe

The purpose of the password stealer "Ninta.exe," belonging to the Pony family, is to steal login credentials to services (home banking), portals or software, stored on our computer. Here we can see a list of affected software:

Far Manager
Total Commander
WS_FTP
CuteFTP
FileZilla
Bullet Proof FTP
TurboFTPSoftware
CoffeeCup Software
NCH Software
LeapFTPSOFTWARE
Opera
Firefox
SeaMonkey
Google Chrome
BlazeFtp
Windows Mail
Windows Live Mail
The Bat!
Outlook
Thunderbird

And many more.

It also contains the following password vocabulary:
123456 password phpbb qwerty 12345 jesus 12345678 1234 abc123 letmein test love 123 password1 hello monkey dragon trustno1 111111 iloveyou 1234567 shadow 123456789 christ sunshine master computer princess tigger football angel jesus1 123123 whatever freedom killer asdf soccer superman michael cheese internet joshua fuckyou blessed baseball starwars 000000 purple jordan faith summer ashley buster heaven pepper 7777777 hunter lovely andrew thomas angels charlie daniel 1111 jennifer single hannah qazwsx happy matrix pass aaaaaa 654321 amanda nothing ginger mother snoopy jessica welcome pokemon iloveyou1 11111 mustang helpme justin jasmine orange testing apple michelle peace secret 1 grace william iloveyou2 nicole 666666 muffin gateway fuckyou1 asshole hahaha poop blessing blahblah myspace1 matthew canada silver robert forever asdfgh rachel rainbow guitar peanut batman cookie bailey soccer1 mickey biteme hello1 eminem dakota samantha compaq diamond taylor forum john316 richard blink182 peaches cool flower scooter banana james asdfasdf victory london 123qwe 123321 startrek george winner maggie trinity online 123abc chicken junior chris passw0rd austin sparky admin merlin google friends hope shalom nintendo looking harley smokey 7777 joseph lucky digital a thunder spirit bandit enter anthony corvette hockey power benjamin iloveyou! 1q2w3e viper genesis knight qwerty1 creative foobar adidas rotimi slayer wisdom

In the picture below we can see graphically how the malware processes are executed from the opening of the infected document to the execution of the Pony's Ninta.exe process:

File analysis of "Richiesta urgente di_docency.7z"

Within the compressed file "Richiesta urgente di_docency.7z" we find the following file:

File name: Richiesta urgente di docency.exe
Size: 992.256 byte
MD5: DB553286A76871759EBDBC088F2408FA
Compilation date: 28/01/1971 - 05:46:46
VirIT: Trojan.Win32.PSWStealer.BDV

The malware in the machines where we tested the file "Richiesta urgente di_docency.7z" always crashed. Most likely it is another password stealer.

File analysis of "documenti.7z"

Within the compressed file"documenti.7z" we find the following file:

File name: documenti.exe
Size: 835.072 byte
MD5: 2288AE3CC673244A3324F85A6F1E3A33
Compilation date: 03/07/1993 - 23:00:36
VirIT: Trojan.Win32.HawkEye.BDW

The execution of the "documents.exe" file results in the injection of the "HawkEye" malware into the AppLaunch.exe process, which performs the injection in two processes of the VBC.EXE module, with NirSoft's "Password-Recovery" and "WebBrowserPassView" modules. Thus it will be able to exfiltrate the login credentials/passwords stored in the various browsers (Firefox, Chrome, Opera, etc) and e-mail programs (Windows Mail, Windows Live Mail, Thunderbird, etc) on the computer.

Exfiltrated information is emailed to the address: handel@e-programy.eu
with subject: HawkEye Keylogger - Reborn v8 - Passwords Logs - <username> \ <computername>

In the picture below we can see graphically how the processes of the "HawkEye" malware are run from the execution of "documenti.exe" to data exfiltration by exploiting injections on AppLaunch.exe and VBC.EXE:

IOC

MD5:
D513E433B0209D99C30C0149F66BF725
B7BF34E52F8F2664CE3A0FBC2E20CDEF
37BB86EE0181F6B282985369F5E6EB5A
C628EB3FC28139B1D2C4A2E42FD44109
52F12D643D9F74583381FCA9C46EE7E5
e3debbab5af23e219d69ac20bf0760ea
DB553286A76871759EBDBC088F2408FA

URL:
https://ninta[.]pw/Ninta23.exe
http://cm-lagoa[.]pt/panel/gate.php
http://cm-lagoa[.]pt/panel/shit.exe
220-s6.smarthost.pl

IP:
104.18.35[.]110
89.26.249[.]46
91.211.222[.]201 Porta: 587

Email:
handel@e-programy.eu

How to identify a fake email

Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M., is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the wokstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:

Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
Save the e-mail to be sent to TG Soft's C.R.A.M.for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).

We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite has the following special features:

freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.

C.R.A.M.
TG Soft's Anti-Malware Research Center

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Malspam campaign "December update, data analysis updated on listing" targeting Italy conveys Pony and HawkEye malware.