Tuesday, December 4, 2012

FedEx Phishing - FakeAV

The Email

Lots of people have been getting emails that claim you have a package from FedEx, and in order to retrieve the package you must check their invoice. Below is an example of the email:

If you fell for the email and clicked the link to retrieve the postal receipt the page will direct you to a zip archive called 'Postal-Receipt.zip' which contains the malicious Exe

 

Some of the domains linked to in the Emails are

quitcigarettes4good[.]com
174.132.99.162

karthikimpex[.]com
174.121.37.123

mailguardian.com[.]au
175.45.134.28

lifestyle.bplaced[.]net
176.9.52.229

exodionline[.]com
64.37.52.84

edostatenationalassociationofireland[.]com
46.252.207.1




 The Attachment

 






File: Postal-Receipt.zip
Size: 31398
MD5:  DCEFC82EF60639AA821378D4BDC58EFC
FileType: Zip file
https://www.virustotal.com/file/2e3cc6664ef47521e4fb944013af388a91685a395021933eb381f8c3714a339b/analysis/


Here's what the exe in the Zip archive looks like once extracted. Clearly not a word document.




















File: Postal-Receipt.exe
Size: 53248
MD5:  6B02ED78EF103CAE39D6FBBD13EF1AFD
Compiled Date: Sat, Dec 1 2012, 21:42:32  - 32 Bit
https://www.virustotal.com/file/a351d4e5cbbd1829aa46d4666309bfd0b11068e5c8815892723a11edac74afd7/analysis/

Post Infection

A quick screenshot depicting what the callbacks look like across the wire. The parameter is just a long series of hex which likely will initiate the download of the next payload since the attachment is likely just the dropper

Observed beacons to the following

140.135.66.217:8080
211.172.112.7:8080
82.113.204.228:8080
59.126.131.132:8080
59.25.189.234:8080
61.222.241.208:8080
81.93.248.152
103.4.225.41
5.104.106.56 - forserer1.tk


UPDATE

So it's definitely VM aware, but I sandboxed it and got the stage 2 payload.  FakeAV campaign




 




File: update.exe
Size: 573440
MD5:  24AF8A9423DC3A89E6D816C4DA3DAE95
Compiled Date: Dec 4 19:34:01 2012 (Tue)
https://www.virustotal.com/file/069d3e48010d6ef93f14c3d5e52ca2649c48fcc983f92be8236459324a69ef59/analysis/1354672077/

Stage 2 Domains/IPs
 
gilbillingpay.com - serves the FakeAv license page
178.162.170.132 

Some screenshots







That's the initial stuff anyways...I'll get more info later...Plus since it appears to be a huge campaign there will probably be dozens of other people providing some of the same info and more...




Posted by at No comments:
Labels: , , ,

Thursday, August 30, 2012

Grooveshark Malvertisments





Grooveshark

 Edit: I was able to get the full exploit code, but as with any exploit kit it's obfuscated to hell and back. So I have to deobfuscate it first.
A bunch of people use Grooveshark to listen to music. While this isn't the first time Grooveshark has served malvertisments, it's worth posting anyways. I wasn't able to get the malicious ad syndication to bounce me the exploit page first-hand, and the pcap data I have doesn't contain the exploits or malware unfortunately.



The Malvertisment

If you're unfortunate enough to get served a malicious advertisment, unbeknownst to you, in the background scripts are executed that can redirect, enumerate, exploit, and infect. This malvertisment starts with a 302 redirect.


Next you'll get bounced to a body of obfuscated code that inserts a script on the page


When formatted it's easier to see what the script is doing. It's essentially using your user-agent to decode the obfuscated script.


I had to hard-code the user-agent into the script and removed some of the unnecessary HTML DOM stuff and got the iframe it creates.


Continuation...

I was able to get the malvertisment on my VM, so I have the exploit code. The next request takes you to a page with a embedded 'loading' gif and another iframe redirecting to the actual exploit code. Interestingly it also 'onbeforeunload's you to a Russian dating site. Maybe they own it and want some additional hits for monetary gain?

 
Here is a quick snippet of the exploit page code. It's obfuscated obviously. It's ugly. Even when formatted it's ugly.


 Actually when formatted it isn't so bad. It's just a bunch of <pre> tags that hold the obfuscated code. Then as exploit kits normally do, there is a small block of javascript that deobfuscates and eval()s the whole thing. Below you can see the body of script. Also you can see an applet on the very bottom - Set.jar. I was able to retrieve that java archive. A lot of AV vendors detect it.

File: Set.jar
Size: 19713
MD5:  5F21D6629648633B42119AB73680C1D6
https://www.virustotal.com/file/8699be5447dd8ba5e530dac02310ac34fd6134d955dbf666804ec804bae3a170/analysis/


Still not done yet though...It's just blackhole but it might be one of the new versions equipped with that java 0 day. It doesn't seem that way so far...


 
Summary
That's all I was able to entice their server to give me. All my other attempts got HTTP 500s. I may still be able to get the exploits/malware if I get lucky and get a malvertisment in my VMs.


Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)