Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Anatomy of a Malware distribution campaign InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Anatomy of a Malware distribution campaign

Published: 2014-01-19
Last Updated: 2014-01-19 18:41:43 UTC
by Rick Wanner (Version: 1)
8 comment(s)

Starting about 10 days or so ago, a Spam campaign began targeting Pacific Gas and Energy (PG&E), a large U.S. energy provider. PG&E has been aware of this campaign for about a week, and has informed its customers.

This is yet another Spam run targetting the customers of U.S. energy companies that has been going on for several months.  I was able to get  two samples of this run to disect. This is not a campaign targetted directly at known PG&E customers  One of the emails came to an account which I only use as a garbage collector. I have not used the account in about ten years and nobody would legitimately send me email on that account. The second sample came from an ISC handler in Australia.  Neither of us are anywhere near PG&E's service area. 

It wasn't long ago that you could identify Spam by the quality of the English, but these emails look quite professional and the English is good.  The only real issue in the email being formatting of some of the currency figures.

The header  revealed that it was sent from user nf@www1.nsalt.net using IP 212.2.230.181, most likely a compromised webmail account.   Both the from and the reply-to fields are set to do_not_reply@nf.kg, an email address that bounces.   The 212.2.230.181 IP, the nf.kg domain and the nsalt.net domain all map to City Telecom Broadband in Kyrgyzstan (country code KG).

These sorts of runs usually have one of two purposes; credential theft, or malware distribution. In this case the goal of this particular campaign seems to be malware distribution. The "click here" link in the two samples point to different places  

  • hxxp://s-dream1.com/message/e2y+KAkbElUyJZk38F2gvCp7boiEKa2PSdYRj+YOvLI=/pge

  • hxxp://paskamp.nl/message/hbu8N3ny7oAVfvBZrZWLSrkYv2kTbwArk3+Tspbd2Cg=/pge

Both of these links are now down, but when they were alive they both served up PGE_FullStatement_San_Francisco_94118.zip which contained a Windows executable.

The Antivirus on my test machines were not triggered by this file and Virustotal has a 5/48 detection rate indicating this is most likely a Trojan Dropper:

I get 500 or so Spam and Phishing messages every day.  Fortunately the majority of them are caught in the excellent filters I have in place. This email passed those filters and if I was a PG&E customer would probably look legitimate enough to at least make me look at it twice before disregarding it as Spam.  But how many less tech-savvy PG&E customers got caught by this?  It is clear that modern anti-virus is dying as a front line defense against such attacks.  Is there a technology in the development pipe today that is going to step up and help protect the average user?

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: malware
8 comment(s)
Diary Archives