Fake Travel Reservation Malspam Campaign Dropping Pony

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a new malspam campaign pretending to be from a travel consultant asking for payment for an attached invoice for a travel reservation. The attachment was actually a macro enabled Microsoft Word document with an executable file embedded in an OLE object.

Below is a screenshot of what an example of this malspam campaign looks like:

Screen Shot 2015-12-01 at 6.50.01 PM

Below are some of the important pieces of the SMTP header, which can be used for blocking on your SMTP gateways:

Return-Path: <jeremy@abercrombiekent[.]com>
Received: from abercrombiekent[.]com (78.red-80-26-159.adsl.static.ccgg.telefonica[.]net. [80.26.159[.]78])
Reply-To: "Jeremy Sellards,A&K" <jeremy@abercrombiekent[.]com>
From: "Jeremy Sellards,A&K" <jeremy@abercrombiekent[.]com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Lightning/2.6.4MIME-Version: 1.0
Subject: Re: Re: reservation
Content-Type: multipart/mixed;

Upon opening the attachment named bill1201.doc (SHA256: 51641d928e79d26d63a7b7c0436d9daa8baa142ce263bac860706ef8335731f1), the victim is presented with a security warning stating that macros have been disabled, along with instructions on how to enable the content to see the “bill”.

Screen Shot 2015-12-01 at 6.00.10 PM

After enabling macros, the embedded executable file of the credential stealing Pony malware (SHA256: e43600efe968efd66376ec5ff1cc87e3aea2de87ec8b00a893a0fccaff18ea83) is written to disk at the following location:

C:\Users\{USERNAME}\AppData\Local\Temp\krt21.exe

We can then immediately see POST requests using HTTP 1.0 to meletwihi[.]ru/gate.php (185.18.53[.]146), which returned a 503 response code at the time of this writing.

Screen Shot 2015-12-01 at 6.39.10 PM

Data sent back to the C&C servers by Pony includes information about the machine itself, as well as credentials stored on in applications on the machine. By examining a memory dump of the running krt21.exe process, we can identify a list of the applications from which Pony attempts to steal credentials from, which include browsers and many FTP programs:

Screen Shot 2015-12-01 at 6.37.06 PM

Additional analysis of the memory dump reveals the other C&Cs that Pony will attempt to POST data to, as well as the locations from which it will attempt to download a stage two payload.

Screen Shot 2015-12-01 at 6.14.49 PM

C&Cs:

hxxp://meletwihi[.]ru/gate.php
hxxp://ressparromi[.]ru/gate.php
hxxp://ruathanhep[.]ru/gate.php

Stage Two Payload Locations:

hxxp://hindistanvizesi[.]com.tr/wp-content/plugins/cached_data/ff.exe
hxxp://divatisestore[.]com/wp-content/plugins/cached_data/ff.exe
hxxp://ebbabogados[.]com/wp-content/plugins/cached_data/ff.exe

The executable being distributed from these locations was first identified as the Vawtrak financial malware (SHA256: ac63acfa6ad704993ec2d89eda5b60c518ca0bce494629e6f5aa0a2d55329a61). However, the payload has since changed to a file not found on VirusTotal, SHA256: d4a6aff04eb17c075a308f0b6d9c44fd7aaf6b79528d0b724ec889f3bcdb76c8

Behavioral analysis of the downloaded payload is beyond the scope of this blog, but an analysis report of the initial Vawtrak payload is available here: https://www.hybrid-analysis.com/sample/ac63acfa6ad704993ec2d89eda5b60c518ca0bce494629e6f5aa0a2d55329a61?environmentId=1

Summary of IOCs:

jeremy@abercrombiekent[.]com
80.26.159[.]78
185.18.53[.]146
hxxp://meletwihi[.]ru/gate.php
hxxp://ressparromi[.]ru/gate.php
hxxp://ruathanhep[.]ru/gate.php
hxxp://hindistanvizesi[.]com.tr/wp-content/plugins/cached_data/ff.exe
hxxp://divatisestore[.]com/wp-content/plugins/cached_data/ff.exe
hxxp://ebbabogados[.]com/wp-content/plugins/cached_data/ff.exe
51641d928e79d26d63a7b7c0436d9daa8baa142ce263bac860706ef8335731f1
e43600efe968efd66376ec5ff1cc87e3aea2de87ec8b00a893a0fccaff18ea83
ac63acfa6ad704993ec2d89eda5b60c518ca0bce494629e6f5aa0a2d55329a61
d4a6aff04eb17c075a308f0b6d9c44fd7aaf6b79528d0b724ec889f3bcdb76c8
bill1201.doc
C:\Users\{USERNAME}\AppData\Local\Temp\krt21.exe