Phishing and ransomware – Norway

How serious can a malicious mail be? Few minutes later was several targeted companies in Norway infected. Luckily I managed to get a copy of the phishing email and decided to take a look at it.

posten

It is not really difficult to see that this is a fake mail. Missing characters (æøå) and bad translation.
Well, we all know what we should do here, right?

Hell yea, click that link!

Step 1: 87.120.40.39 – Redirect
All links in this message points towards http://gioia-bg.com/Y3yqH9gcELIfP8h2.php?id=victim@email.no
If you decide to open gioia-bg.com, you will probably within short time understand why they chose this url. The web-page itself looks like a welcome mat and nothing less to say about the “recent” patches.

Either way, the victim URL contains both a javascript and meta-refresh redirect to http://posten-norway.com/ddggl8p.php?id=dmljdGltQGVtYWlsLm5v
Last part of the URL is base64 victim@email.no, probably just to keep track of who took the bait. Anyone who tries to access this URL from a non-norwegian IP will be redirected to http://google.com, which will cause problems for services like virus-total to identify malicious webpages.

Step 2: 93.95.102.232 – More redirects

This time it looks like the victim was the webhosting company mtw.ru and by the size of this network.
Dovecot – port 587 looks extremely juicy here. 🙂
posten2

There is one thing about this page that has been bugging me, why did they use a static “captcha” here?
Actually, it’s brilliant. First of all, it gives some “protection” against AV crawlers and other automated indexing tools, but social engineering is the best part.
– Captcha forces you to do some work, and I’m pretty sure that this increase the likelihood of a person opening this file.
– Captcha is used by the good guys to keep away bad guys, right?

Ok, lets do as they ask and fill in the captcha (always captcha_code=764674), press the button and follow the 302 to downloader.disk.yandex.ru

WARNING – MALWARE
https://downloader.disk.yandex.ru/disk/7b700a17ad8eb7c9138c1db3f6b33630ec83ce132fa62b4b2b33e805b6ad1d25/55cba5ad/JKl1yauumL5aItdtTvQWFjjiKaV-1IXUKtSOFgEbKlKtOEbUpNB_7cZYRA_oJu55Jc0K9LEeu08f25UWwsxg4A%3D%3D?uid=0&filename=Posten_Adresselapp.zip&disposition=attachment&hash=h946P//NjcJvOE/FkE29ARXYriKfXe2J00cq6iRbH%2Bc%3D&limit=0&content_type=application%2Fx-zip-compressed&fsize=317996&hid=f83ac8eb43326cf71af1c534d29c3280&media_type=compressed&tknv=v2

This link may be temporary, so I took a backup of the file:
https://0x41.no/virus/Posten_Adresselapp.zip

Step 3: File info
When unzipping the .zip, you will find Posten_Adresselapp.scr: PE32 executable (GUI) Intel 80386, for MS Windows, (PDF icon ofcourse). Total Virus had a detection ratio of 0/56 and the file seem to be written with Visual C++, which will make this a hell to reverse-engineer with my current skills.

ida1

Step 4: Infecting myself
Just to be ready, I booted up wireshark and fiddler with SSL decrypt enabled. I’m not much of a windows techie, so I’ll drop the windows debugging for now. First thing I detected was the DNS request for lozjapo.net 78.136.221.159 (another web-hosting company in Russland). The Victim pc tried to establish SSH sessions with lozjapo.net but it was not responding – probably due to large amount of requests or a ongoing takedown.

Posten_Adresselapp.scr copied itself to ProgramData and added a startup key:
C:\ProgramData\ahixysus.exe
C:\ProgramData\yvyjivorapadumok\..
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Since lozjapo.net was no longer repsonsing to HTTPS requests, I decided to modify c:\windows\system32\drivers\etc\hosts and forward all requests from lozjapo.net to my own server, this way I could establish a SSL handshake and monitor the requests done by ahixysus.exe. ahixysus.exe was also able to hook itself to explorer.exe which makes it looks like explorer.exe is making all the https requests at the same time hiding hiding its own identity from task-manager.

explorer

WIN-PDJOMJ9UPAH = my computer name
6FF35C156855CED9 = no idea
main-1 = no idea

By looking at this POST request, I would guess my PC is trying to connect with a botnet and that lozjapo.net is the current C&C

Now what?
From what I’ve been told by others (infected), is that the malware will download/patch itself and install ransomware. So far it’s been Cryptolocker, where documents and pictures located on both local and shares will be encrypted with AES256 where the only way to restore them is to pay the ransome or restore a backup. Regarding backup: any volume shadow copy will be deleted by the malware wich is executing “vssadmin.exe Delete Shadows /All /Quiet”
wgrwgerwge_0
Subnets to look out for (Firewall logs)
87.120.40.39/32 gioia-bg.com
93.95.100.0/22 posten-norway.com
77.88.21.127/32 downloader.disk.yandex.ru
78.136.221.0/24 lozjapo.net

A Layer 7 IPS firewall will not be able to detect and block this traffic alone with an anti-virus profile. SSL decrypt is also required to scan files and traffic for both yandex.ru and the C&C lozjapo.net. As a minimum, you should at least add “posten-norway.com”, “lozjapo.net” and “gioia-bg.com” to a URL filter.

For more information, check out the Palo Alto wildfire report

How and what malware and C&C can do:

Leave a Reply

Your email address will not be published. Required fields are marked *