Malware infrastructure breakdown

Investigating a malicious email the other day, came across a bit of a more widely deployed infrastructure than what I tend to see in day to day malspam campaigns.

We received a single email that linked to a site at the IP 23.95.97.56. But after preliminary investigation we found the site ended up at hxxps://www[.]eastendbuzz[.]com/vosg/report

This domain was not on the previous IP but instead on 216.172.168.138.

After some more pivoting using Urlscan.io we found that there were at least 5 different domains acting as pivot points for the campaign.

Here we can see the redirect from the pivot point. The following 5 domains were found based at 23.95.97.56 and redirecting to the final site.

hxxp://gfafoods[.]com/v3/report/id29173 
hxxp://laborss[.]com/v4/report/id26364 
hxxp://prestoquest[.]com/v5/report/id23779
hxxp://laborss[.]com\v1\report\id25329
hxxp://teachpulse[.]com/v5/report/id27246

Once arriving at the site the user tries to view the document promised only to be greeted by an error message. This page uses javascript to execute the popup hiding the true link to the download from traditional automated analysis.

Once clicked the user is asked to download an exe file update_v1201.exe. Passing this to VT and HA we see the following:

This looks to link this to a variant of a trojan/banking malware. Looking deeper into the strings it looks as though the code contains pieces of the powerarchiver software package from conexware.com.

Based on the malware family names report in the VT reports I found this article for the TinyNuke malware, which seems to mimic the distribution pattern seen both in the delivery and being include inside of other software packages.

https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet

All in all a little more than the average malspam, have insights let me know @laskow26 on twitter.

 

IOC’s

hxxp://gfafoods[.]com/v3/report/id29173
hxxp://laborss[.]com/v4/report/id26364
hxxp://prestoquest[.]com/v5/report/id23779
hxxp://laborss[.]com\v1\report\id25329
hxxp://teachpulse[.]com/v5/report/id27246

hxxps://www[.]eastendbuzz[.]com/vosg/report

2de8cc70becf90e36a8a89515e5045ef7eb2ea412577f8a98e2f88775f5d5c76

update_v1201.exe

 

https://www.hybrid-analysis.com/sample/2de8cc70becf90e36a8a89515e5045ef7eb2ea412577f8a98e2f88775f5d5c76

https://www.virustotal.com/#/file/2de8cc70becf90e36a8a89515e5045ef7eb2ea412577f8a98e2f88775f5d5c76/detection

 

Pre-release update, before publication occurred I followed up on the VT report for a reanalysis, and wow have the rates of detection changed, what a difference a day can make.