The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a new malspam campaign pretending to be from a travel consultant asking for payment for an attached invoice for a travel reservation. The attachment was actually a macro enabled Microsoft Word document with an executable file embedded in an OLE object.
Below is a screenshot of what an example of this malspam campaign looks like:
Below are some of the important pieces of the SMTP header, which can be used for blocking on your SMTP gateways:
Return-Path: <jeremy@abercrombiekent[.]com> Received: from abercrombiekent[.]com (78.red-80-26-159.adsl.static.ccgg.telefonica[.]net. [80.26.159[.]78]) Reply-To: "Jeremy Sellards,A&K" <jeremy@abercrombiekent[.]com> From: "Jeremy Sellards,A&K" <jeremy@abercrombiekent[.]com> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Lightning/2.6.4MIME-Version: 1.0 Subject: Re: Re: reservation Content-Type: multipart/mixed;
Upon opening the attachment named bill1201.doc (SHA256: 51641d928e79d26d63a7b7c0436d9daa8baa142ce263bac860706ef8335731f1), the victim is presented with a security warning stating that macros have been disabled, along with instructions on how to enable the content to see the “bill”.
After enabling macros, the embedded executable file of the credential stealing Pony malware (SHA256: e43600efe968efd66376ec5ff1cc87e3aea2de87ec8b00a893a0fccaff18ea83) is written to disk at the following location:
We can then immediately see POST requests using HTTP 1.0 to meletwihi[.]ru/gate.php (185.18.53[.]146), which returned a 503 response code at the time of this writing.
Data sent back to the C&C servers by Pony includes information about the machine itself, as well as credentials stored on in applications on the machine. By examining a memory dump of the running krt21.exe process, we can identify a list of the applications from which Pony attempts to steal credentials from, which include browsers and many FTP programs:
Additional analysis of the memory dump reveals the other C&Cs that Pony will attempt to POST data to, as well as the locations from which it will attempt to download a stage two payload.
hxxp://meletwihi[.]ru/gate.php hxxp://ressparromi[.]ru/gate.php hxxp://ruathanhep[.]ru/gate.php
Stage Two Payload Locations:
hxxp://hindistanvizesi[.]com.tr/wp-content/plugins/cached_data/ff.exe hxxp://divatisestore[.]com/wp-content/plugins/cached_data/ff.exe hxxp://ebbabogados[.]com/wp-content/plugins/cached_data/ff.exe
The executable being distributed from these locations was first identified as the Vawtrak financial malware (SHA256: ac63acfa6ad704993ec2d89eda5b60c518ca0bce494629e6f5aa0a2d55329a61). However, the payload has since changed to a file not found on VirusTotal, SHA256: d4a6aff04eb17c075a308f0b6d9c44fd7aaf6b79528d0b724ec889f3bcdb76c8
Behavioral analysis of the downloaded payload is beyond the scope of this blog, but an analysis report of the initial Vawtrak payload is available here: https://www.hybrid-analysis.com/sample/ac63acfa6ad704993ec2d89eda5b60c518ca0bce494629e6f5aa0a2d55329a61?environmentId=1
Summary of IOCs:
jeremy@abercrombiekent[.]com 80.26.159[.]78 185.18.53[.]146 hxxp://meletwihi[.]ru/gate.php hxxp://ressparromi[.]ru/gate.php hxxp://ruathanhep[.]ru/gate.php hxxp://hindistanvizesi[.]com.tr/wp-content/plugins/cached_data/ff.exe hxxp://divatisestore[.]com/wp-content/plugins/cached_data/ff.exe hxxp://ebbabogados[.]com/wp-content/plugins/cached_data/ff.exe
51641d928e79d26d63a7b7c0436d9daa8baa142ce263bac860706ef8335731f1 e43600efe968efd66376ec5ff1cc87e3aea2de87ec8b00a893a0fccaff18ea83 ac63acfa6ad704993ec2d89eda5b60c518ca0bce494629e6f5aa0a2d55329a61 d4a6aff04eb17c075a308f0b6d9c44fd7aaf6b79528d0b724ec889f3bcdb76c8