Wednesday, 3 August 2016

Email with subject line “Re:Forward Statement.” leads to #InfoStealer malware




Fake invoice statement with the subject of  "Re:Forward Statement." pretending to come from “Lucy Bustoslucy@instonemarble.com” (or random senders)  with a malicious zip attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt.
The attachment of file is .ace (a compression file format) this is same like zip or rar. It does contain an executable file which steals passwords from browser, windows, email clients etc.
Sender email address could be spoofed or masked hence Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. Attackers use email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Sender domain has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.


----------------------------------- Email information (Sample) -----------------------------------
From:
Lucy Bustos <lucy@instonemarble.com>
Cc:
Subject:
Re:Forward Statement.
Attachment: File04885602.ace
Message:

Good Morning,
Barbara hasn't been in the office for a while and there is some open invoices that I need to collect!
Please see attached and let me know if you have any questions! 
Sincerely,
Lucy Bustos
INSTONE, Marble
1629 Doolittle Drive
San Leandro, CA 94577
(510) 351-1900 Phone
(510) 351-1905 Fax
lucy@instonemarble.com
INSTONE Marble Confidential Communication
This electronic mail message and any attachments are intended only for the use of the addressee(s) named above and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient, or the employee or agent responsible for delivering this e-mail to the intended redipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail message in error, please immediatley notify the sender by replying to this message or by telephone. Thank you.


----------------------------------- Email information -----------------------------------

Facts and Findings:
  • The attachment is an .ACE (Compressed file) which is a compression file type. ACE file compress and decompress files under Microsoft windows. It contains an executable file MD5: 3b634e73069dbed90136b09cad6cf589 which works as Infostealer malware.
  • Malicious ace analysis:
    • VirusTotal: Malicious
    • MD5: 8566e4a760587cbb42ff01d2610ed929
    • SHA1: 23fdcb57a6de77f2adf60ca5c99bf7c797fef3ce
    • SHA 256: 6ac2cb9fc70143f5fa6fe2ff6b819f74ecdc74decb95f81ae7c2f7f37d8ed26f
    • Common Malware name: Trojan.Autoit
  • Malicious EXE Analysis:
    • VirusTotal: Malicious
    • MD5: 3b634e73069dbed90136b09cad6cf589
    • SHA1: 5f7857525ed6c64cc1a239a928f082d38fc1bcdc
    • SHA256: c5907225dd3805129f48189420ac7fd3d2c2f811e3ac5a865035f4500518e5c8
    • It set value on registry to make it as startup service:
      • \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\"wextract_cleanup0" 
           = rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\ADMINI~1\AppData\Local\T
           emp\IXP000.TMP\"
    • New files were created C:\Users\Administrator\AppData\Roaming\WindowsUpdate.exe with help of RegAsm.exe
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)