Last Updated: 2018-07-24 23:07:02 UTC
by Tom Webb (Version: 1)
I was looking through network alarms, and I came across an interesting alert I’ve not seen before for cell phone tracking. I noticed that the POST to the website was in clear text. I started to look at the URL’s that Phone was accessing.
POST to URLS included:
I started looking at the different data that was sent to each of the URLs. The information posted to the update.php page included: Userid, Serial, Model, Phone number, Sim card number, IMEI, Phone Number Called and the contact named in phone and more.
The upload_MMS is what I expected; it contained what was being sent via TXT, including pictures.
The upload_rec.php was very surprising to me. My initial thought it was voicemail, but it appears that its an mp4 of all phone conversations. The file that was transferred was 15 min long, obviously too long for a voicemail. Network Miner was able to quickly determine their was MP4 files embedded in the PCAP.
The software is sending this data to http://cellphonetrackers.co. The website appears not to have been updated since 2013 as that's the copyright listed on the front page.
Monitoring your loved ones on devices is important, but you need to make sure that their privacy is still be protected by the tool you are using. There are lots of legitimate review sites that cover pro and cons of tools from name brands you know and trust.
-- Tom Webb @twsecblog
Last Updated: 2018-07-24 02:46:49 UTC
by Brad Duncan (Version: 1)
So far in 2018, I've seen a great deal of malicious spam (malspam) pushing Emotet malware. It's probably the most common malspam threat I've seen so far in 2018. Within the past week, the some good posts about Emotet have been published:
- 2018-07-18 - Symantec: The Evolution of Emotet: From Banking Trojan to Threat Distributor
- 2018-07-18 - Palo Alto Networks: Malware Team Up: Malspam Pushing Emotet + Trickbot
- 2018-07-20 - US-CERT: Alert (TA18-201A) Emotet Malware
- 2018-07-23 - MalFind: Deobfuscating Emotet’s powershell payload
You can also find indicators about Emotet by searching Twitter for #Emotet. Assuming you can wade through the re-posts on the above articles, you'll find a community that tweets indicators about Emotet like URLs for the initial Word document, file hashes for the malware, etc.
Emotet infection from Monday 2018-07-23
On Monday 2018-07-23, I generated some Emotet infection traffic in my home lab, and I saw plenty of indicators. The following is malware retrieved from my infected Windows host:
- SHA256 hash: 9914881d35a7fa7ce6f9ec06d4e5c19f12c6916a57fcc4facbb28f144e921283
- File description: Downloaded Word doc with malicious macro that installs Emotet
- SHA256 hash: 83d54beb3fdecfc7bcb0eb048aa4634a5e4208dc0a3067a35d2cfb4598cb99b2
- File description: Emotet malware binary retrieved by Word macro
- SHA256 hash: b1ebf3d44d496ee574831266474b10b55c06e30aea56d41ac8830ba2b28f7a0f
- File description: Zeus Panda Banker
The following are domains, IP addresses, and URLs from the infection traffic.
Initial infection traffic:
- 18.104.22.168 port 80 - misico.com - GET /sites/US/Client/Invoice-0361376097-07-23-2018/
- 22.214.171.124 port 80 - www.ocyoungactors.com - GET /NzGucd/
Emotet post-infection traffic:
- 126.96.36.199 port 80 - 188.8.131.52 - GET /whoami.php
- 184.108.40.206 port 80 - 220.127.116.11 - POST /
- 18.104.22.168 port 8080 - 22.214.171.124:8080 - GET /
- 126.96.36.199 port 443 - 188.8.131.52:443 - GET /
- 184.108.40.206 port 8443 - 220.127.116.11:8443 - GET /
- 18.104.22.168 port 80 - 22.214.171.124 - GET /
- 126.96.36.199 port 80 - 188.8.131.52 - GET /
- 184.108.40.206 port 990 - 220.127.116.11:990 - GET /
- 18.104.22.168 port 990 - 22.214.171.124:990 - GET /
- 126.96.36.199 port 4143 - 188.8.131.52:4143 - GET /
- 184.108.40.206 port 80 - 220.127.116.11 - GET /
- 18.104.22.168 port 80 - 22.214.171.124 - GET /
- 126.96.36.199 port 80 - 188.8.131.52 - GET /
- 184.108.40.206 port 80 - 220.127.116.11 - GET /
- 18.104.22.168 port 8080 - 22.214.171.124:8080 - GET /
- 126.96.36.199 port 8080 - 188.8.131.52:8080 - GET /
- 184.108.40.206 port 443 - 220.127.116.11:443 - GET /
- 18.104.22.168 port 80 - 22.214.171.124 - GET /
- 126.96.36.199 port 80 - 188.8.131.52 - GET /
- 184.108.40.206 port 8080 - 220.127.116.11:8080 - GET /
- 18.104.22.168 port 8080 - 22.214.171.124:8080 - GET /
- 126.96.36.199 port 443 - 188.8.131.52:443 - GET /
- 184.108.40.206 port 80 - 220.127.116.11 - GET /
- 18.104.22.168 port 443 - 22.214.171.124:443 - GET /
Attempted TCP connections from Emotet infection, but no response from the server:
- 126.96.36.199 port 80
- 188.8.131.52 port 8080
- 184.108.40.206 port 80
- 220.127.116.11 port 7080
- 18.104.22.168 port 465
- 22.214.171.124 port 443
- 126.96.36.199 port 8443
- 188.8.131.52 port 8080
- 184.108.40.206 port 8080
- 220.127.116.11 port 80
- 18.104.22.168 port 20
- 22.214.171.124 port 8080
- 126.96.36.199 port 8080
- 188.8.131.52 port 443
- 184.108.40.206 port 443
- 220.127.116.11 port 443
- 18.104.22.168 port 443
- 22.214.171.124 port 443
- 126.96.36.199 port 4143
Zeus Panda Banker traffic:
- 188.8.131.52 port 443 - thevisitorsfilm.top - SSL/TLS traffic
As usual, properly-administered and up-to-date Windows hosts are not likely to get infected. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
A pcap of the infection traffic for today's diary can be found here.
brad [at] malware-traffic-analysis.net