21/11/2018
09:28

Malspam campaign "PasswordStealer" using legal file-sharing services.

Malspam campaign conveys "PasswordStealer" by exploiting certified file-sharing services tricking users to exfiltrate sensitive data
      
 
 
 

Tg Soft's CRAM (Anti-Malware Research Center) examined some emails spreading the malware Trojan PasswordStealer on November 20, 2018.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.

INDEX
 If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research) following the simple procedure outlined in the link: How to send suspicious emails.

Fake Emails spread Trojan 'PasswordStealer'


How they spread:

 On November 20, 2018, several suspicious emails were found, used to trick the recipient into downloading malicious files by exploiting legitimate file-sharing services such as:
  • OneDrive;
  • MediaFire;

The delivered e-mails in addition to a short text in which we are notified of an invoice or goods shipment document, contain a small image (thumbnail preview of the attached document) that should represent the document received.
Clicking on the image does not redirect you, as you would expect, to the document, but to the download of a compressed archive that can be, as in the cases we analyzed, .rar or .zip.


Description:
The  mentioned emails  were delivered on November 20, 2018.

Example 1 of analyzed emails:

Subject: Slip di pagamento

 
 picture_1
 
Click to enlarge

In the first e-mail examined, the filesharing service MediaFire is used to deliver the infection. In fact clicking on the phantom document preview, it redirects you to the following site :

https[:]//www[.]mediafire[.]com/file/ba485jpdbbeshan/Invoice_month_11-19-2018.rar/file

from which the Invoice month 11-19-2018.rar archive, containing the file Invoice month 11-19-2018.exe, is downloaded. The file format alone should set off alarm bells about the goodness of the file. Trying to open the Invoice month 11-19-2018.exe file ti seems that nothing happens, but that's when the infection kicks in.

Name: Invoice month 11-19-2018.exe
MD5: 0121749970D78D2F2E993529E630BBB2
Size: 598360 Bytes
Compilation date: 24/02/2005 - 04:53:22
Malware family: Password Stealer
VirIT: Trojan.Win32.Injector.BCN

At startup it waits a few seconds and then reboots and copies itself, changing name to the following system folder :
  • C:\Users\[utente_pc]\AppData\Roaming\Install\Host.exe
After copying and starting in the new location, the registry key is created to thus ensure persistence in the system and be active every time we start the pc.

The key is as follows. :
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] :
"NetWire"="C:\Users\[utente_pc]\AppData\Roaming\Install\Host.exe"
After ensuring persistence within the pc, the malware goes on to scan the system for information from programs such as:
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Thunderbird
  • SeaMonkey
  • Internet Explorer
after that, it contacts the gbam1985[.]hopto[.]org site with IP address 185[.]244[.]30[.]102 on port 3369 to exchange the uploaded information, and finally the Logs folder is created in the %appdata%/Roaming system directory :
  • C:\Users\[utente_pc]\AppData\Roaming\Logs\
where we will find the file with name equal to the date of the day [DD - MM - YYYY], inside which will be contained a log of everything that was exfiltrated from the PC / Server.



Example 2 of examined email:

Subject: SHIPPING DOCUMENTS (ETA 29/11/2018)

 
 immagine_2
 
In the second e-mail examined, the filesharing service OneDrive is used to deliver the infection. Clicking on the document preview, you will be directed to the site:

https[:]//onedrive[.]live[.]com/download?cid=43D6934B8391AB43&resid=43D6934B8391AB43%21108&authkey=ACOI-kydEDoN92k

 from which the SCAN_INV_0001524.zip archive is downloaded, which contains the SCAN_INV_0001524.exe payload. If this is executed, triggers the infection.

Name: SCAN_INV_0001524.exe
MD5: 12E8B2DA2D2DF16F0F61968DC5419F0F
Size: 618760 Bytes
Compilation name: 25/02/2005 - 05:54:23
Malware family: Password Stealer NanoCore
VirIT: Trojan.Win32.PSWStealer.BCM

After being started, the malware waits for a few seconds, restarts, and then runs again.
A folder is then created in %appdata%/Roaming with the name of the value of the MachineGuid registry key, which is different for each Windows installation and therefore allows the Cyber-Criminal organization to precisely catalog the exfiltrated data.

In our case we have the following folder :
  • C:\Users\[utente_pc]\AppData\Roaming\C69802BC-D96A-48DA-ABE6-0E5E19AC8613
The created folder will later be populated with other files and subfolders but, before doing so, the malware tries to ensure persistence on the machine by making a copy of itself and changing its name to the following location:
  • C:\Program Files\DSL Monitor\dslmon.exe
After copying itself to the new location it creates the registry key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] :
"DSL Monitor"="C:\Program Files\DSL Monitor\dslmon.exe"

by doing so, the malware will be able to start when the pc starts up regardless of the logged-in user.
In addition to writing the key to the registry, it also creates two tasks in C:\windows\system32\tasks so that, if the key is deleted from the registry or it becomes corrupted for any reason, the malware will always find a way to execute itself. The two tasks are:
  • DSL Monitor
  • DSL Monitor Task
the difference in the two tasks is that DSL Monitor starts the original file from the folder where the file was saved while DSL Monitor Task starts the malware from the folder C:\Program Files\DSL Monitor\dslmon.exe, that is, from where it was copied.

Then, the malware opens a connection to the host goodweb[.]ddns[.]net which has IP address 181[.]215[.]247[.]156 on port 1190 where it will send the information exfiltrated from the infected pc.

The folder created earlier is populated with the following files:
  • catalog.dat
  • run.dat
  • settings.bak
  • settings.bin
  • storage.dat
  • task.dat 
It contains the exfiltrated information and, again within the same folder, we find a subfolder Logs/[User_pc]. Inside it we find a file KB_7550421.dat that contains information about what was typed and where (Keylogging function).


The purpose of these types of malware is to exfiltrate as much sensitive information as possible including:
  • Passwords of e-mail addresses;
  • Bank account logins and passwords;
  • Logins and Passwords of major Social Networks as well as those of major e-commerce platforms.
Those orchestrating these attacks, have as their primary goal to exploit the victims' e-mail to expand the botnet. Instead if bank accounts are concerned, the goal is to attempt actual theft of money. Exfiltration of social network logins and passwords enables identity theft.



IoC (Indicator  of Compromise )

MD5:
0121749970D78D2F2E993529E630BBB2
12E8B2DA2D2DF16F0F61968DC5419F0F

URL:
https[:]//www[.]mediafire[.]com/file/ba485jpdbbeshan/Invoice_month_11-19-2018.rar/file
https[:]//onedrive[.]live[.]com/download?cid=43D6934B8391AB43&resid=43D6934B8391AB43%21108&authkey=ACOI-kydEDoN92k
gbam1985[.]hopto[.]org
goodweb[.]ddns[.]net

IP:
185[.]244[.]30[.]102[:]3369
181[.]215[.]247[.]156[:]1190
 

How to identify a fake email

Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the workstation involved was used for home-banking transactions, an assessment with your credit institution is also recommended.  

How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts

Sending materials to the TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
  1. Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
  2. Save  the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
  We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
 

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,

Vir.IT eXplorer Lite has the following special features:
  • freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
  • Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
  • It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Centert for further analysis to update Vir.It eXplorer PRO;
  • Through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
  • Proceed to  download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.

For Vir.IT eXplorer PRO users...

 

For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page  CLIENTS.
 


C.R.A.M.
TG Soft's Anti-Malware Research Center

Back to top of page

 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: