Hackin9

Introduction

About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware. Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day. This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware.

I havent found much discussion about the current absence of Dridex/Locky malspam. Since the actor(s) behind Dridex started distributing Locky in back in February 2016 [1], I can" />
Shown above: Have others noticed a lull in Dridex/Locky? [2]

Of course, other campaigns are ongoing, so I figure its time to review other examples of malspam. These campaigns are somewhat harder to find than Dridex/Locky malspam, but theyre certainly out there.

However, my field of view is limited, and I can only report on what Im seeing. With that in mind, this diary reviews two examples of malspam I found on Wednesday 2016-06-08.

First example

Our first example was sent to one of the ISC handlers email aliases." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Some of the alerts after reading the pcap in Snort using the Talos Snort subscriber ruleset.

m>

Our second example is Brazilian malspam in Portuguese sent to a different email address." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: Malware downloaded from the malspam link.

Shown above: HTTP traffic from the second infection filtered in Wireshark.

In addition to the HTTP traffic, I saw IRC activity on TCP port 443 from the infected host to a server on ssl.houselannister.top at 95.215.46.153." />
Shown above:" />
Shown above: More IRC activity from my infected Windows host.

the hostname/username for my infected Windows host in this pcap is a throwaway." />
Shown above: Alerts generated on the second infection from Sguil in Security Onion.

Indicators of compromise (IOC) - first example

Domain used for the initial malware download by the .js file:

  • 198.105.244.228 port 80 - www.owifdsferger.net
  • 198.105.244.228 port 80 - www.dorimelds.at
  • 198.105.244.228 port 80 - www.opaosdfdksdfd.ro
  • 31.11.33.35 port 80 - www.brusasport.com

Post infection traffic that triggered alerts for Andromeda malware:

  • 188.165.157.176 port 80 - secure.adnxs.metalsystems.it - POST /new_and/state.php

Other HTTP traffic during this infection:

  • 62.149.128.72 port 80 - antoniocaroli.it - GET /prova/sd/Lnoort.exe
  • 62.149.132.43 port 80 - www.antoniocaroli.it - GET /prova/sd/Lnoort.exe
  • 62.149.128.154 port 80 -antoniocaroli.it- GET /prova/sd/romeo.exe
  • 62.149.132.43 port 80 -www.antoniocaroli.it- GET /prova/sd/romeo.exe
  • 62.149.140.183 port 80 -www.amicimusica.ud.it">/pz/ft.so
  • 217.160.6.96 port 2352 - Attempted TCP connection to dop.premiocastelloacaja.com
  • 188.190.33.93 port 80 - goyanok.at - HTTP POST triggered alert for Ursnif variant

Indicators of compromise (IOC) - second example

Traffic to retrieve the initial malware:

  • 65.181.113.254 port 80 - www.grupoc4.top - GET /m.php?id=[name]
  • NOTE: See the pcap for the URL from 4shared.com hosting the initial malware

Post-infection traffic:

  • 185.61.149.93 port 80 - www.ruthless.sexy - Callback from the infected host
  • 65.181.113.187 port 80 - lol.devyatinskiy.ru - Callback from the infected host">Final words

    Malspam is a pretty low-level threat, in my opinion. Most people recognize the malspam and will never click on the attachments or links. For those more likely to click, software restriction policies can play a role in preventing infections. And finally, people should be using properly administered Windows hosts and follow best security practices (up-to-date applications, latest OS patches, etc).

    The same thing goes for Dridex/Locky malspam, which I expect will return soon enough.

    But many vulnerable hosts are still out there, and enough people using those hosts are still tricked by this malspam. Thats probably why malspam remains a profitable method to distribute malware.

    Pcaps and malware for this ISC diary can be found here.

    ---
    Brad Duncan
    brad [at] malware-traffic-analysis.net

    References:

    [1] https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky
    [2] https://twitter.com/MalwareTechBlog/status/738530089600733184

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

As we've noted before, Ars readers are extremely skeptical about the whole "connected car" thing. That's not because Ars is a technology site for luddites—the sad truth is that the car industry's approach to security lags far behind its desire to expose the inner thoughts of our cars to us via the cloud.

As the tech and auto industries collide, the tech crowd is hoping that its more farsighted approach to ensuring secure hardware and code will start to rub off on its new bedfellow. On Wednesday and Thursday this week, the two have come together in Michigan for TU-Automotive Detroit, a conference that's focusing in part on this very topic. And tech firms—from established players like Symantec to startups like Karamba Security—want to help the automakers find their way.

The glaring lack of connected security for our cars got mainstream attention last year when Fiat Chrysler had to recall 1.4 million vehicles, but despite the FBI's plea to motorists to remain aware of security issues in cars, the driving public doesn't seem too concerned. Earlier this week, research firm Forrester announced that more than one in three Americans wants their next car to have better Internet connectivity. Meanwhile, the hacks keep happening. Nissan's API for its Leaf electric vehicle allowed completely anonymous requests to cars. Mitsubishi might have decided to enable connected car services for its Outlander via the vehicle's Wi-Fi in part to safeguard against attacks in the cloud, but it forgot that Wi-Fi needs some common sense security protections, too.

Read 9 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03618 rev.1 - HPE Service Manager remote Denial of Service (DoS), Disclosure of Information, Unauthorized Read Access to Files, Server Side Request Forgery
 
[security bulletin] HPSBGN03624 rev.1 - HPE Project and Portfolio Management Center, Remote Disclosure of Sensitive Information, Execution of Arbitrary of Commands
 

Information security – on the agenda this week at Olympia, London
SecurityNewsDesk
Neil Thacker, Information Security & Strategy Officer, Forcepoint, discussed the lack of resources most security operations teams face today and explored Artificial Intelligence (AI) as the future of fast decision making in 'Ready Player Two – The Role ...

and more »
 

Canada's University of Calgary paid almost $16,000 ($20,000 Canadian, ~£10,800) to recover crucial data that has been held hostage for more than a week by crypto ransomware attackers.

The ransom was disclosed on Wednesday morning in a statement issued by University of Calgary officials. It said university IT personnel had made progress in isolating the unnamed ransomware infection and restoring affected parts of the university network. It went on to warn that there's no guarantee paying the controversial ransom will lead to the lost data being recovered.

"Ransomware attacks and the payment of ransoms are becoming increasingly common around the world," Wednesday's statement read. "The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time."

Read 2 remaining paragraphs | Comments

 

SC Magazine UK

InfoSec 2016: WhiteHat says "security from within" key to tackling web vulnerabilities
SC Magazine UK
O'Leary said, “As the costs of the data breaches continues to rise, it only spells bad news for those who choose not to patch their software”. And WhiteHat as a whole, seem to be tackling the problem head on. O'Leary told SC of how the company has ...

and more »
 
Cisco EPC 3928 Multiple Vulnerabilities
 

Computer Business Review

Ransomware, virtualisation and cloud: The hot cyber security topics at Infosec 2016
Computer Business Review
Discussion of ransomware is ubiquitous at Infosec this year, as the encryption malware hits an increasing number of businesses. Ransomware is malware that encrypts files on a victim's device and forces them to pay a ransom to the attacker before they ...

 

Techworm

Nintendo Power Glove is used to function a quadcopter
Techworm
During an Intel booth at Bay Area Maker Faire, two enthusiasts, Gerrit and Mike ran into Nolan Moore who was showing off his work to combine a Nintendo Power Glove with an AR Drone quadcopter. The interesting thing is that not only did this trick ...

and more »
 
[SECURITY] [DSA 3598-1] vlc security update
 
Internet Storm Center Infocon Status