Introduction As early as Wednesday 2015-05-27, there have been more waves of malicious spam (malspam) spoofing myfax.com. On Tuesday 2015-06-02, the messages contained links to a zip archive of a Pony downloader. Tuesday's messages also had links pushing Neutrino exploit kit (EK). Spoofed myfax emails are nothing new. They've been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day. Background Earlier on 2015-06-02, @Techhelplistcom tweeted about myfax malspam he'd found [1], and he posted links from these emails to pastebin [2]. I noticed similar messages last week, but they were all blocked. At that time, I wasn't able to investigate any further. On 2015-06-02, checking my employer's spam filters revealed spoofed myfax messages were coming in again after a 3 day break. Details Below is an example of the messages blocked by my organization's spam filters on 2015-06-02:
The above example shows 2 types of URLs. The first points to a zip file. The second points to URLs ending in fax.php that push Neutrino EK. Last week's malspam only had links to the zip files.
In a lab environment, those links ending with fax.php returned HTML with iframes leading to Neutrino EK. Unfortunately, I wasn't able to generate any Neutrino EK traffic. The domain names for the Neutrino URLs didn't resolve in the DNS traffic. We saw the following fax.php URLs from the malspam:
We also found the following URLs for zip files from the malspam:
Here's what we saw in a lab environment when downloading the zip file, extracting the malware, and infecting a Windows host:
Indicators of compromise (IOC) from the infection traffic:
The image below shows Emerging Threats-based Snort events on the infection traffic using Security Onion. The events indicate a Fareit/Pony downloader infected the lab host with Graftor or a Zeus/Zbot variant. A sample of the Pony downloader was submitted to malwr.com at: https://malwr.com/analysis/ODExOWNlY2Y4N2QwNDhkNmE4YmFkODc2ODA3NzlkNDI/ A sample of the follow-up malware was also submitted to malwr.com at: https://malwr.com/analysis/OTc4MWY3OTdmZDZkNGYxMGJhNGRkMDAzOThlNmQ1NmI/ Post-infection traffic contains HTTP GET requests for a small image file with an image of Marlon Brando from the Godfather movies. Matthew Mesa found some other URLs with (what I assume is) the same image [3]. The image contains some ASCII text for the last 1.4 KB or so of the file, which indicates steganography is being used to send some information to the infected host. Final words A pcap of the 2015-06-02 infection traffic is available at: A zip file of the associated malware is at: The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. Special thanks to Techhelplist and Matthew Mesa for their Twitter posts about this activity. Techhelplist also updated his blog entry about fake myfax emails with this recent information [4]. --- References: [1] https://twitter.com/Techhelplistcom/status/605765844258287618 |
Brad 433 Posts ISC Handler Jun 3rd 2015 |
Thread locked Subscribe |
Jun 3rd 2015 6 years ago |
I really like these malware analysis posts! Thanks!
|
John 88 Posts |
Quote |
Jun 3rd 2015 6 years ago |
Thanks, John!
|
Brad 433 Posts ISC Handler |
Quote |
Jun 3rd 2015 6 years ago |
Quoting John:I really like these malware analysis posts! Thanks! Yes, so do I. I am always impressed when I see that SecurityOnion is picking these up with ET Snort rules. This stuff is always fascinating. |
Lee 13 Posts |
Quote |
Jun 4th 2015 6 years ago |
The ET open signature set is my personal favorite for Snort or Suricata... a free rule set by an amazing team of people! SecurityOnion is also awesome. I highly encourage people to try it out, if they haven't already!
|
Brad 433 Posts ISC Handler |
Quote |
Jun 4th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!