Hackin9
 

Introduction

Earlier today (Wednesday2015-11-25), one of our readers notified the ISC of malicious spam (malspam) with a Word document designed to infect a Windows computer with malware. I found examplesof the malspam and looked into it. Word documents from this particular campaign will download Pony malware to infect a Windows computer with Vawtrak. This malspam was blocked by our spam filters, but others might see it, so Im posting the information in a diary.

Thanks for the heads up, Travis!

The emails

The emails spoof your company name (or whatever domain youre using for your email address), and they have a Microsoft Word document as an attachment. The ones Ive found have">From: [email protected][your company].com
Reply-To: [email protected][your company].com">---
Este email est livre de vrus e malware porque a proteo avast! Antivirus est">Attachment: Bill.doc

have a notification at the bottom stating This email is free of viruses and malware protection because the Avast! Antivirus is active. These antivirusmessages were all in different languages, based on the host these emails were sent" />
Shown above: Example of the malspamwith a different language for the antivirusnotification.

We saw this malspam come from senders at the following IP addresses:

  • 2015-11-25 15:06 UTC - 85.246.96.111 (l13-96-111.dsl.telepac.pt)
  • 2015-11-25 15:36 UTC - 178.253.170.155 (178-253-170-155.vdial.slovanet.sk)
  • 2015-11-25 15:59 UTC - 188.250.234.94 (bl24-234-94.dsl.telepac.pt)
  • 2015-11-25 16:14 UTC - 88.16.67.20 (20.Red-88-16-67.dynamicIP.rima-tde.net)
  • 2015-11-25 16:26 UTC - 82.54.254.143 " />
    Shown above: An example of the email headers from this malspam.

    The attachment

    The attachment is a Microsoft Word document with malicious macros. The sample had already been submitted to VirusTotal (link), but it only had a 1 / 55 detection rate when I first checked. I enabled the documents macros in a controlled environment toinfect" />
    Shown above: The maliciousdocumentopened in Word2007.

    The infection" />
    Shown above: A pcap of the infectiontraffic filtered in Wireshark by HTTP request.

    ection traffic using Security Onion with the EmergingThreats Pro signature set. " />
    Shown above: Some of the alerts in Sguil on Security Onion.

    The following IP addresses and domain names were associated with this Pony/Vawtrak infection:

    • 95.213.169.17 - reflahadi.ru
    • 149.210.186.152 - cafetariaxl.nl
    • 46.161.1.172 - castuning.ru
    • 91.200.14.95 - hybridtrend.com
    • 81.177.22.179 - 81.177.22.179

    Malware and artifacts from the infected host

    The Word document caused the following artifacts to appear in the infecteduser" />
    Shown above: Artifacts from the infected users AppData/Local/Temp directory.

    • 12.rtf - MD5 hash: 6dfd5c9274b1ecb1bad095cb8f00100e - VirusTotal link
    • 13.rft - MD5 hash: f08febf78a641505c13746fd38ed09c3 - VirusTotal link
    • 721723.exe(alsoHadFeqt.exe)- MD5 hash: a054dfe5575c59f6bd96fc395041eb93 - VirusTotal link
    • st11.exe - MD5 hash: bd86e1a8a35b12841ee6694dcc607cd0 - VirusTotal link

    Both st11.exe and 721723.exe deleted themselves shortly after appearing in thedirectory. st11.exeis the Pony downloader. 721723.exeis Vawtrack, which copied itself to another directory and updated the infected host" />
    Shown above: The Vawtrak malware from this infection.

    Final words

    Malspamwith a Word document that causes Pony to download more malware is not uncommon. Its just another example of the many types of malspam we see blocked by our spam filters on a daily basis.

    Email examples, traffic, and malware from this diary can be found here.

    Many thanks to our readers, who continue to notifyus of suspicious activity!

    ---
    Brad Duncan
    Security Researcher at Rackspace
    Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 3404-1] python-django security update
 

The Facebook and e-mail accounts of US State Department officials focused on Iran were hacked and possibly used to gather data about US-Iranian dual citizens in Iran.

More details have emerged about the hacking of the computers of US State Department and other government employees, first revealed earlier this month in a Wall Street Journal report. The intrusions by hackers purported to be associated with the Iranian Revolutionary Guard may be tied to the arrest of an Iranian-American businessman in Tehran in October and other arrests of dual citizens in Iran. The attackers used compromised social media accounts of junior State Department staff as part of a "phishing" operation that compromised the computers of employees working in the State Department’s Office of Iranian Affairs and Bureau of Near Eastern Affairs and in the computers of some journalists.

The first warning of the attacks came from Facebook, which alerted some of the affected users that their accounts had been compromised by a state-sponsored attack, The New York Times reports. The Iranian Revolutionary Guard hackers used the access to identify the victims' contacts and build "spear-phishing" attacks that gave them access to targeted individuals' e-mail accounts. The attack "was very carefully designed and showed the degree to which they understood which of our staff was working on Iran issues now that the nuclear deal is done," an unnamed senior US official told the Times.

This most recent attack, which came after a brief period of little or no Iranian activity against US targets over the summer, according to data from Check Point and iSight Partners, was a change from tactics previously associated with Iranian hackers. Earlier attacks attributed to Iran were focused on taking financial services companies' websites offline and destroying data—such as in the attack on casino company Las Vegas Sands Corp last year after its majority owner called for a nuclear attack on Iran. These attacks may not have been carried out by the Iranian government but by Iranian or pro-Iranian "hacktivists." The State Department attack, however, was more subtle and aimed at cyber-espionage rather than simple vengeance—bearing hallmarks of tactics attributed to Chinese state-sponsored hackers.

Read 1 remaining paragraphs | Comments

 
CIS Manager Content Management System 2015Q4 - SQL Injection Vulnerability
 

Smart study of Canadian businesses pushes the right buttons on infosec ...
ITBusiness.ca (blog)
Did we really need a study to tell us that Canadians care about data security and have a degree of awareness about data protection? You bet. When the Nielsen study called Information Security for Small and Medium Enterprises was recently commissioned ...

 
[security bulletin] HPSBGN03523 rev.1 - HP Loadrunner Virtual Table Server, Remote Code Execution
 
[security bulletin] HPSBGN03523 rev.1 - HP Loadrunner Virtual Table Server, Remote Code Execution
 
[slackware-security] pcre (SSA:2015-328-01)
 
ESA-2015-164: EMC Isilon OneFS Privilege Escalation Vulnerability
 
[SECURITY] [DSA 3403-1] libcommons-collections3-java security update
 
Internet Storm Center Infocon Status