Malware targets home networks/router, Fake Invoice SPAM
FYI...
Malware targets home networks/router
- https://isc.sans.edu/diary.html?storyid=19463
2015-03-13 - "Malware researchers at Trend Micro* have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting itself. TROJ_VICEPASS.A** pretends to be an Adobe Flash update, once it's run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it succeeds, the malware will scan the network for connected devices. The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11 - this IP range is hard-coded. Once the scans finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol. After sending the results to the Command and Control server (C&C), it will delete itself from the victim’s computer... Such type of malware infection can be avoided using very basic security techniques such as downloading updated software from trusted sources only and changing the default password."
* http://blog.trendmicro.com/trendlabs-security-intelligence/malware-snoops-through-your-home-network/
Mar 9, 2015 - "... We recently came across one malware, detected as TROJ_VICEPASS.A**, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer:
Infection chain:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass1.png
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update...
Site hosting fake Adobe Flash update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass2.png
Fake Flash update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass3.png
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices... The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
Find router IP address – start
Searching in 192.168.0.0 – 192.168.0.11
[0] connect to 192.168. 0.0
URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
…. (skip)
Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers..."
(More detail at the trendmicro URLs include usernames and passwords.)
** http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_vicepass.a
___
Fake Invoice SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/penta-foods-invoice-2262004-word-doc-or-excel-xls-spreadsheet-malware/
13 Mar 2015 - "'Penta Foods Invoice: 2262004' pretending to come from cc446@ pentafoods .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached invoice : 2262004
Any queries please contact us.
—
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.
13 March 2015 : R-1179776.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c120814f844d3e4764b1e90a/analysis/1426236749/
- http://blog.dynamoo.com/2015/03/malware-spam-pentafoodscom-invoice.html
13 Mar 2015
"... Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12 "
___
More Fake Invoice SPAM - malware
- http://blog.dynamoo.com/2015/03/malware-spam-invoice-13032015-for.html
13 March 2015 - "There is a -series- of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC
Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run[1] yesterday and one new one with zero detections* which contains (a) malicious macro, which downloads another component from:
http ://95.163.121.186 /api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe ... this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53** and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood. The binary also drops a malicious Dridex DLL with a detection rate of 5/56***. This is the same DLL as used in this spam run[2] earlier today.
Recommended blocklist:
95.163.121.0/24 "
* https://www.virustotal.com/en/file/...f98efb6c527c01791805523b/analysis/1426257108/
** https://www.virustotal.com/en/file/...6d01bd6d0e7a4983375bfc1d/analysis/1426254512/
*** https://www.virustotal.com/en/file/...f84004dd6839321d4c60f7d0/analysis/1426257698/
1] http://blog.dynamoo.com/2015/03/malware-spam-invoice-1234xyz-for.html
2] http://blog.dynamoo.com/2015/03/malware-spam-pentafoodscom-invoice.html
95.163.121.186: https://www.virustotal.com/en/ip-address/95.163.121.186/information/
95.163.121.33: https://www.virustotal.com/en/ip-address/95.163.121.33/information/
___
Upatre update: infection chain and affected countries
- http://blogs.technet.com/b/mmpc/arc...e-infection-chain-and-affected-countries.aspx
12 Mar 2015 - "... Detection rates for these countries is as follows:
> http://www.microsoft.com/security/portal/blog-images/a/UpatreTable.jpg "
:fear::fear:
FYI...
Malware targets home networks/router
- https://isc.sans.edu/diary.html?storyid=19463
2015-03-13 - "Malware researchers at Trend Micro* have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting itself. TROJ_VICEPASS.A** pretends to be an Adobe Flash update, once it's run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it succeeds, the malware will scan the network for connected devices. The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11 - this IP range is hard-coded. Once the scans finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol. After sending the results to the Command and Control server (C&C), it will delete itself from the victim’s computer... Such type of malware infection can be avoided using very basic security techniques such as downloading updated software from trusted sources only and changing the default password."
* http://blog.trendmicro.com/trendlabs-security-intelligence/malware-snoops-through-your-home-network/
Mar 9, 2015 - "... We recently came across one malware, detected as TROJ_VICEPASS.A**, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer:
Infection chain:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass1.png
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update...
Site hosting fake Adobe Flash update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass2.png
Fake Flash update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/03/vicepass3.png
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices... The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
Find router IP address – start
Searching in 192.168.0.0 – 192.168.0.11
[0] connect to 192.168. 0.0
URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
…. (skip)
Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers..."
(More detail at the trendmicro URLs include usernames and passwords.)
** http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_vicepass.a
___
Fake Invoice SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/penta-foods-invoice-2262004-word-doc-or-excel-xls-spreadsheet-malware/
13 Mar 2015 - "'Penta Foods Invoice: 2262004' pretending to come from cc446@ pentafoods .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached invoice : 2262004
Any queries please contact us.
—
Automated mail message produced by DbMail.
Registered to Penta Foods, License MBA2009357.
13 March 2015 : R-1179776.doc - Current Virus total detections: 0/56*
So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c120814f844d3e4764b1e90a/analysis/1426236749/
- http://blog.dynamoo.com/2015/03/malware-spam-pentafoodscom-invoice.html
13 Mar 2015
"... Recommended blocklist:
62.76.179.44
212.69.172.187
78.129.153.12 "
___
More Fake Invoice SPAM - malware
- http://blog.dynamoo.com/2015/03/malware-spam-invoice-13032015-for.html
13 March 2015 - "There is a -series- of malware spams in progress in the following format:
Invoice (13\03\2015) for payment to JUPITER PRIMADONA GROWTH TRUST
Invoice (13\03\2015) for payment to CARD FACTORY PLC
Invoice (13\03\2015) for payment to CELTIC
Invoice (13\03\2015) for payment to MIRADA PLC
Note the use of the backslash in the date. There is an attachment in the format 1234XYZ.doc which I have seen three different variants of (although one of those was zero length), one of which was used in this spam run[1] yesterday and one new one with zero detections* which contains (a) malicious macro, which downloads another component from:
http ://95.163.121.186 /api/gbb1.exe
This is saved as %TEMP%\GHjkdfg.exe ... this server is wide open and is full of data and binaries relating to the Dridex campaign. Unsurprisingly, it is hosted on a Digital Networks CJSC aka DINETHOSTING IP address. This binary has a detection rate of 3/53** and the Malwr report shows it phoning home to 95.163.121.33 which is also in the same network neighbourhood. The binary also drops a malicious Dridex DLL with a detection rate of 5/56***. This is the same DLL as used in this spam run[2] earlier today.
Recommended blocklist:
95.163.121.0/24 "
* https://www.virustotal.com/en/file/...f98efb6c527c01791805523b/analysis/1426257108/
** https://www.virustotal.com/en/file/...6d01bd6d0e7a4983375bfc1d/analysis/1426254512/
*** https://www.virustotal.com/en/file/...f84004dd6839321d4c60f7d0/analysis/1426257698/
1] http://blog.dynamoo.com/2015/03/malware-spam-invoice-1234xyz-for.html
2] http://blog.dynamoo.com/2015/03/malware-spam-pentafoodscom-invoice.html
95.163.121.186: https://www.virustotal.com/en/ip-address/95.163.121.186/information/
95.163.121.33: https://www.virustotal.com/en/ip-address/95.163.121.33/information/
___
Upatre update: infection chain and affected countries
- http://blogs.technet.com/b/mmpc/arc...e-infection-chain-and-affected-countries.aspx
12 Mar 2015 - "... Detection rates for these countries is as follows:
> http://www.microsoft.com/security/portal/blog-images/a/UpatreTable.jpg "
:fear::fear:
Last edited: