On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a simple phishing. Here is a copy of the email, which was nicely redacted:
When the victim clicks on thee “Review and take action” button, (s)he is redirected to a first website:
This automatically redirects to a second site via a HTTP/301 code:
The following picture is displayed:
Yes, this is just a simple picture, no links are active. Where is the issue? Two seconds after that page has been loaded, the browser asks the victim to save a file. The HTML code contains indeed a new redirect:
The shortened URL links to:
This URL drops a malicious file called “Academics.pdf.exe” (SHA256: ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813). When I grabbed the file for the fist time on Friday, it was unknown on VT. Since, it has been uploaded by someone else and has a score of 47/71. The file is identified by many AV’s as a Banking Trojan but, while performing a basic analysis, I found that the malware drops this picture on the target:
I search for this email address and found a Tweet by @malwarehunterteam from April 25:
Some actions performed by the malware:
C:Windowssystem32cmd.exe /c wusa C:UsersadminAppDataLocalTemp32.cab /quiet /extract:C:Windowssystem32migwiz & exit wusa C:UsersadminAppDataLocalTemp32.cab /quiet /extract:C:Windowssystem32migwiz
This drops a crypt.dll in C:Windowssystem32migwiz (SHA256: 856623bc2e40d43960e2309f317f7d2c841650d91f2cd847003e0396299c3f98)
"C:WindowsSystem32WScript.exe" "C:UsersadminAppDataLocalTemp888.vbs" "C:WindowsSystem32migwizmigwiz.exe" C:WindowsSystem32cmd.exe /c C:WindowsSystem32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f
I saw many files created on the Desktop with filenames “lock_. but the honeypot files were not encrypted. I’m still having a look at the sample.
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.