2014-11-13 - PHISHING CAMPAIGN - SUBJECT: YOU HAVE RECEIVED A NEW SECURE MESSAGE FROM BANKLINE#[8-DIGITS]

ASSOCIATED FILES:

ZIP of CSV spreadsheet with some of the email tracking: 2014-11-13-phishing-email-tracking.csv.zip

ZIP of pcap from the malware downloaded and run in a VM: 2014-11-13-phishing-malware-traffic-in-a-VM.pcap.zip

ZIP of the associated malware: 2014-11-13-phishing-malware-and-artifacts.zip

NOTES:

On 2014-11-13 from 10:44 to 11:27 UTC, I saw at least 878 phishing emails with a subject line: You have received a new secure message from BankLine# [8-digit number] .

. These emails all contain links to malware, and the URLs ended with: /bankline/message.php

The links generated a zip file download containing Upatre

Today's post-infection traffic is similar to previous campaigns that dropped Dyre malware.

Conrad Longmore reported a similar ADP-themed campaign yesterday at: blog.dynamoo.com/2014/11/adp-past-due-invoice39911564-spam.html



Downloading the Upatre

PHISHING CAMPAIGNS WITH SIMILAR POST-INFECTION TRAFFIC:

2014-09-26 - Phishing campaign - Subject: Transaction not complete

2014-10-03 - Phishing campaign - incoming fax reports - fake HMRC tax notification

2014-10-04 - Rig EK and Upatre from phishing emails [emails dated 2014-10-02]

EMAILS SEEN FROM THIS CAMPAIGN



All had a spoofed sender: <secure.message@bankline.com>

2014-11-13 10:44 UTC - 82.141.205.113 - mail.mcscomputers.ie - <044143235.0388539144@bankline.com>

2014-11-13 10:44 UTC - 213.160.167.131 - dsl-static-131.213-160-167.telecom.sk - <020914627.0499964534@bankline.com>

2014-11-13 10:44 UTC - 12.162.1.100 - pix-pat.orhp.com - <188812064.0740622260@bankline.com>

2014-11-13 10:44 UTC - 173.227.139.162 - (US - TW Telecom Holdings, Inc) - <619747877.0644376155@bankline.com>

2014-11-13 10:44 UTC - 98.119.19.3 - static-98-119-19-3.lsanca.fios.verizon.net - <393825197.0532741095@bankline.com>

2014-11-13 10:44 UTC - 209.37.186.22 - (US - California United Terminals) - <033084924.0594291903@bankline.com>

2014-11-13 10:44 UTC - 212.77.180.44 - (Germany - R-KOM Regensburger Telekommunikations) - <629092690.0601752637@bankline.com>

2014-11-13 10:44 UTC - 37.130.249.198 - 37-130-249-198.virtual1.co.uk - <282136952.0233588738@bankline.com>

2014-11-13 10:45 UTC - 213.163.169.237 - (France - Kheops Organisation) - <822850065.0360809211@bankline.com>

2014-11-13 10:45 UTC - 12.5.64.154 - (US - AT&T services - Evergreen Alliance Golf Ltd) - <023189931.0677187629@bankline.com>

2014-11-13 10:45 UTC - 64.22.255.162 - gateway.burrellcenter.com - <704110342.0107369291@bankline.com>

2014-11-13 10:45 UTC - 68.101.43.134 - wsip-68-101-43-134.dc.dc.cox.net - <060358944.0986522448@bankline.com>

2014-11-13 10:45 UTC - 31.221.10.130 - 31-221-10-130.cust-31.exponential-e.net - <944996101.0275953473@bankline.com>

878 total emails seen, with the last one below:

2014-11-13 11:27 UTC - 82.152.247.106 - (UK - Eclipse Static ADSL Pool) - <298463928.0751396386@bankline.com>

SCREENSHOT FROM ONE OF THE EMAILS:

MESSAGE TEXT FROM ONE OF THE EMAILS:

From: Bankline <secure.message@bankline.com>

Date: Thursday, November 13, 2014 at 10:46 UTC

Subject: You have received a new secure message from BankLine#62941708



You have received a secure message.



Read your secure message by following the link bellow:



link





----------------

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.



If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7038.



First time users - will need to register after opening the attachment.

About Email Encryption - http://www.rbs.co.uk/corporate/electronic-services/g2/datalink.ashx

SOME OF THE LINKS FROM THESE PHISHING EMAILS:

adtravel.com.sg - GET /bankline/message.php

dudok.nl - GET /bankline/message.php

neogamer.cz - GET /bankline/message.php

wp.zontown.com - GET /bankline/message.php

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name: Secure-messageBankline_pdf.zip

File size: 9.9 KB ( 10150 bytes )

MD5 hash: f4df9e9ca2c91ba5e826111014d1b1c5

Detection ratio: 21 / 55

First submission: 2014-11-13 10:48:26 UTC

VirusTotal link: https://www.virustotal.com/en/file/2ad9176032de039207d41bafa83b10907ade9c771a478d42b620082fbae3a165/analysis/





EXTRACTED MALWARE:

File name: Secure-messageBankline_pdf.exe

File size: 23.0 KB ( 23552 bytes )

MD5 hash: c852dff3e4de04eb3a230cd560094d59

Detection ratio: 21 / 53

First submission: 2014-11-13 10:49:19 UTC

VirusTotal link: https://www.virustotal.com/en/file/7f771a240dab091da8af9ec07b10a97079864c45564259ee7ca827d4cfd387a2/analysis/

Malwr link: https://malwr.com/analysis/MDFkZWFiNTk4MzYyNGIwMmEyMzA2OWUxODU3ZTYyYTc/





DROPPED FILES ON THE INFECTED VM:

C:\Windows\EXE1.INI (0 bytes)

C:\Windows\OccUbCFuCHafSpy.exe (503,808 bytes)

C:\Windows\OccUbCFuCHafSpy.INI (0 bytes)

C:\Users\User-1\AppData\Local\Microsoft\Windows\Temporary Internet Files\cluk2[1].pmg (encrypted file - 365,308 bytes)

C:\Users\User-1\AppData\Local\Temp\utt2FCD.tmp (encrypted file, 365,308 bytes - same as above file)

C:\Users\User-1\AppData\Local\Temp\ogtur.exe (this is where the extracted malware copied itself)

DROPPED EXE:

File name: C:\Windows\OccUbCFuCHafSpy.exe

File size: 492.0 KB ( 503808 bytes )

MD5 hash: ca075266749ad6303092ba177177aef3

Detection ratio: 15 / 55

First submission:

VirusTotal link: https://www.virustotal.com/en/file/b642644ca6ba8509b49e0093119190dd2e39130fd5ee2c96b81bb44457f57f39/analysis/

Malwr link: https://malwr.com/analysis/NDQxZTMxNjhlOWZlNGY1YmEzYmM3ZDAyYTBmNjlmMTE/





INFECTION TRAFFIC ON A VM

DOWNLOADING THE MALWARE:

2014-11-13 20:29:24 UTC - 172.16.165.132:49200 - 180.210.201.107:80 - adtravel.com.sg - GET /bankline/message.php

2014-11-13 20:29:24 UTC - 172.16.165.132:49200 - 180.210.201.107:80 - adtravel.com.sg - GET /favicon.ico

2014-11-13 20:29:24 UTC - 172.16.165.132:49201 - 180.210.201.107:80 - adtravel.com.sg - POST /bankline/message.php

2014-11-13 20:29:26 UTC - 172.16.165.132:49202 - 94.23.50.48:80 - counter1.statcounterfree.com - GET /private/counter.js?c=3cd91faa08a440e1eaaed230a22225c0

2014-11-13 20:29:26 UTC - 172.16.165.132:49203 - 94.23.50.48:8080 - counter1.statcounterfree.com:8080 - GET /private/pointeur/pointeur.gif?| [long string of characters]

2014-11-13 20:29:26 UTC - 172.16.165.132:49204 - 94.23.50.48:80 - counter1.freecounterstat.com - GET /private/counter.php?c= [long string of characters]

2014-11-13 20:29:27 UTC - 172.16.165.132:49201 - 180.210.201.107:80 - adtravel.com.sg - GET /bankline/message.php?h=900&w=1440&ua=[long string of characters]

POST-INFECTION TRAFFIC AFTER RUNNING THE MALWARE:

2014-11-13 20:32:35 UTC - 172.16.165.132:49205 - 188.165.206.208 - 188.165.206.208:27648 - GET /1311uk2/WIN-QSL42S1ENZ/0/61-SP1/0/

2014-11-13 20:32:36 UTC - 172.16.165.132:49206 - 188.165.206.208 - 188.165.206.208:27648 - GET /1311uk2/WIN-QSL42S1ENZ/1/0/0/

2014-11-13 20:32:36 UTC - 172.16.165.132:49207 - 109.237.138.18:80 - enrico-roeske.de - GET /requests/cluk2.pmg

2014-11-13 20:32:37 UTC - 172.16.165.132:49208 - 78.46.70.51:80 - santaic8.kilu.de - GET /img/cluk2.pmg

2014-11-13 20:35:50 UTC - 172.16.165.132:49210 - 162.242.252.170:80 - icanhazip.com - GET /

2014-11-13 20:35:50 UTC - 172.16.165.132:49212 - 104.156.231.126:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:35:50 UTC - 172.16.165.132:49213 - 23.3.12.179:80 - www.download.windowsupdate.com - GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab

2014-11-13 20:36:36 UTC - 172.16.165.132:49214 - 104.156.231.126:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:37:37 UTC - 172.16.165.132:49215 - 104.156.231.126:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:38:18 UTC - 172.16.165.132:49217 - 94.23.63.195:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:38:20 UTC - 172.16.165.132:49218 - 94.23.63.195:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:38:36 UTC - 172.16.165.132:49219 - 94.23.63.195:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:38:38 UTC - 172.16.165.132:49220 - 94.23.63.195:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:10 UTC - 172.16.165.132:49221 - 94.23.63.195:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:11 UTC - 172.16.165.132:49222 - 94.23.63.195:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:22 UTC - 172.16.165.132:49224 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:24 UTC - 172.16.165.132:49225 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:25 UTC - 172.16.165.132:49226 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:25 UTC - 172.16.165.132:49227 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:26 UTC - 172.16.165.132:49228 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:28 UTC - 172.16.165.132:49229 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:28 UTC - 172.16.165.132:49230 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:29 UTC - 172.16.165.132:49231 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:39:33 UTC - 172.16.165.132:49232 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:42:41 UTC - 172.16.165.132:49233 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

2014-11-13 20:45:58 UTC - 172.16.165.132:49234 - 108.61.199.190:4443 - encrypted (possible HTTPS) traffic

POST-INFECTION STUN (SESSION TRAVERSAL UTILITIES for NAT) TRAFFIC OVER UDP:

2014-11-13 20:32:50 172.16.165.132:31748 - 193.28.184.4:3478 - STUN traffic to: stun.ipshka.com

2014-11-13 20:33:25 172.16.165.132:31748 - 107.23.150.92:3478 - STUN traffic to: stun.stunprotocol.org

2014-11-13 20:33:59 172.16.165.132:31748 - 217.10.68.152:3478 - STUN traffic to: stun.sipgate.net

2014-11-13 20:34:34 172.16.165.132:31748 - 77.72.174.163:3478 - STUN traffic to: stun.voipbuster.com

2014-11-13 20:35:08 172.16.165.132:31748 - 198.27.81.168:3478 - STUN traffic to: stun.callwithus.com

SNORT EVENTS FROM THE INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

2014-11-13 20:29:24 UTC - 172.16.165.132:49201 - 180.210.201.107:80 - ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST (sid:201932)

2014-11-13 20:29:25 UTC - 180.210.201.107:80 - 172.16.165.132:49201 - ET CURRENT_EVENTS suspicious embedded zip file in web page (sid:2019324)

2014-11-13 20:29:28 UTC - 172.16.165.132:49201 - 180.210.201.107:80 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014 (sid:2019311)

2014-11-13 20:29:28 UTC - 180.210.201.107:80 - 172.16.165.132:49201 - ET TROJAN Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014 (sid:2018182)

2014-11-13 20:32:36 UTC - 172.16.165.132:49207 - 109.237.138.18:80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)

2014-11-13 20:32:36 UTC - 172.16.165.132:49207 - 109.237.138.18:80 - ET TROJAN Common Upatre Header Structure (sid:2018394)

2014-11-13 20:35:50 UTC - 172.16.165.132:49210 - 162.242.252.170:80 - ETPRO TROJAN Common Downloader Header Pattern H (sid:2803305)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

2014-11-13 20:29:24 UTC - 172.16.165.132:49201 - 180.210.201.107:80 - [1:32129:1] MALWARE-CNC Win.Trojan.Downloader variant download attempt

2014-11-13 20:32:39 UTC - 78.46.70.51 - 172.16.165.132 - [139:1:1] (spp_sdf) SDF Combination Alert

2014-11-13 20:35:50 UTC - 104.156.231.126:4443 - 172.16.165.132:various - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE (x14)

2014-11-13 20:35:50 UTC - 172.16.165.132:various - 104.156.231.126:4443 - [119:31:1] (http_inspect) UNKNOWN METHOD (x14)

FINAL NOTES

Once again, here are the associated files:

ZIP of CSV spreadsheet with some of the email tracking: 2014-11-13-phishing-email-tracking.csv.zip

ZIP of pcap from the malware downloaded and run in a VM: 2014-11-13-phishing-malware-traffic-in-a-VM.pcap.zip

ZIP of the associated malware: 2014-11-13-phishing-malware-and-artifacts.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.