In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.

You may have seen email with subject lines containing verbiage on FedEx deliveries, court notices, or even toll road charges:



Figure 1. Screenshot of email

By examining the email headers, we can see that these initial lures are being sent from a webserver utilizing a PHP script, revealed by the “X-PHP-Script” tag:



Figure 2. Webservers using PHP to send email

PhishMe researchers were able to retrieve the PHP server-side code behind this script, pictured below (Figure 3). The script works by accepting the POST variable of code that is base64 decoded, and then evaluates for code execution. The lack of input validation for this code block makes it susceptible to remote code execution vulnerabilities.



Figure 3. Snippet of PHP code

The miscreants using this PHP script as a mailer sent their malspam payload consisting of two arrays: $js[] which contains the obfuscated Javascript file, and $mails[] which contained prepopulated email messages including the subject and body themes mentioned above. The final code block that is sent to this script creates a randomized ZIP archive containing the malicious Javascript file, appends it to the email message, and then sends the email utilizing the built-in PHP mail() function call.

During our four-day observation of this on-going malspam campaign, we have seen 20,000 email messages sent from this single website alone. The source IP addresses that are using this PHP script to send the malspam are:

109.235.50.205 (XenEurope VPS, Netherlands)

194.69.193.111 (bsnews.it, Italy)

77.111.207.70 (Verygames.net, France)

The initial email lures contain a ZIP attachment with a “.doc.js” file inside the archive that some AV companies call Nemucod. This JS file contains highly obfuscated javascript file which downloads the installer for Kovter and Miuref/Boaxxe. To save precious analyst time, we can easily deobfuscate these downloaders using Wepawet or jsdetox. Once executed, the malicious javascript attachment downloads three Windows executables from hardcoded domains. These domains can be retrieved on the second line of deobfuscated javascript:

var b = “les-eglantiers.fr ckindustry.com sdcpower.com”.split(” “);

Once executed, the Javascript file will issue an HTTP GET using the following URL structure that downloads a Windows executable, albeit named with a fake GIF file extension:

example.com/ document.php ?rnd=<RANDOM_DIGITS>&id=<TRACKING_ID>

Over the past week, PhishMe has observed the following IP addresses and domains serving as the initial download document.php sites for these malware campaigns:

154.41.66.31 abama.org

209.200.253.29 avolonage.com

67.195.61.46 ayuso-arch.com

205.144.171.10 brigand-001-site2.smarterasp.net

216.24.245.126 ckindustry.com

74.208.252.194 etqy.com

96.31.35.62 harmacrebar.com

96.31.36.46 idsecurednow.com

50.116.104.205 ihaveavoice2.com

208.43.65.115 laterrazzafiorita.it

76.74.242.190 les-eglantiers.fr

205.144.171.28 readysetgomatthew.com

174.137.191.22 selmaryachtmarket.com



Figure 4. Document.php

The document.php server-side code (Figure 4) first ensures the request is coming from a Windows OS or otherwise exits. There is also a campaign tracking function that records the victim’s external IP address and browser information to the file document.txt located in the same directory on the webserver. The rnd GET parameter’s value will always contain a 1, 2, or 3 in the last digit that denotes the binary file being requested on the webserver (i.e. 1.bin, 2.bin, and 3.bin respectively). Finally, in the last decision code block, the malware is served to the client as a randomly named GIF file. These executables can also be directly accessed from the webserver, thereby bypassing any download restrictions imposed by the document.php file.

Another post.php script was spotted in the same directory on these compromised webservers hosting the document.php files. The code is very similar to the post.php mailer file mentioned above; however, this script requires the POST variable of pass that acts as authentication and whose value is unique on each website:



Figure 5. post.php source

PhishMe observed code remotely being executed using this post.php script that contained the following characteristics:

Performs MD5 checksums on the webserver *.bin

Retrieves the records of the txt campaign tracking information then erases it.

Replaces the malware installer *.bin files with freshly packed executables every ten minutes in an effort to evade checksum or AV signatures.

in an effort to evade checksum or AV signatures. The same IP addresses mentioned above sending the malspam were also the source of this traffic.

PhishMe was able to retrieve the access logs going back one month for one of the document.php malware download sites and mapped the potential target list based on the geolocation of ~2500 unique IP addresses, pictured below. It would seem that the United States is being targeted more than any one country:



Figure 6. Geolocation of unique IP addresses

All of the websites hosting the post.php and document.php files have been compromised for over a year. There does not seem to be a common CMS platform or PHP framework installed that may have been used as the initial exploitation vector. The IP addresses controlling the mailer and initial download sites mentioned above belong to a VPS provider or a shared-hosting network. This finding may indicate a Tier 2 hierarchy style of botnet consisting of additional, compromised servers. The frequency at which these malware lures are being spammed out and the constant re-packing of executables present a great challenge for the Antivirus industry’s attempt in protecting their user base from this attack. Luckily, PhishMe’s Triage customers are protected by this threat via Yara rule PM_Zip_with_js and PM_Email_Sent_By_PHP_Script, which can be downloaded here.