How are people fooled by this? Email to sign a contract provides malware instead., (Wed, Aug 9th)

by natein Security Bulletinson Posted on

Introduction

Many security professionals often review malicious spam (malspam) as part of their daily work. If you fall in this category, every once in a while you run across an email so obviously malicious, you wonder how people could be fooled by it. I saw one such email on Tuesday 2017-08-08.

The link in this email led to a zip archive containing Sharik/Smoke Loader malware. Sharik/Smoke Loader then retrieved TeamViewer to use as a backdoor on the infected host. It also downloaded ransomware calling itself Diamond Computer Encryption. border-width:2px” />
Shown above: Chain of events for this infection.

In todays diary, I investigate that malspam and its associated malware.

The email

The email consists of an image from img.hambersandp02.host that links to inf.hambersandp02.host. The image is followed by a random string on numbers barely visible in the message, because the text is a very light shade of grey. border-width:2px” />
Shown above: Screenshot of the email.

Just look at it. The recipient was not someone in any position of authority to sign a contract. The email sender is named Contract and uses some random email address. And there is absolutely no context to the message. I always ask myself how someone could be fooled by this, and the answer is apparently youd be surprised.

Clicking on the image from the message sent a zip archive. border-width:2px” />
Shown above: border-width:2px” />
Shown above: Contents of the zip archive sent from the AWS server.

Network traffic

After the malware was download from an AWS server, the infected Windows host generated post-infection traffic that included HTTP requests to support.microsoft.com (a legitimate domain) and controlek01.asia (a malicious domain). Network traffic triggered alerts for Sharik/Smoke Loader as I monitored it using Security Onion running Suricata with the EmergingThreats open ruleset. border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: Events that triggered in Security Onion while monitoring the traffic.

The infected Windows host

Signs of a ransomware infection were apparent in the infected Windows host. All encrypted files had random extensions appended to their file names, and the decryption instructions call the ransomware Diamond Computer Encryption. This ransomware was first reported by @PolarToffee on Monday 2017-08-07 on Twitter, but it appears to be a complete scam without any way to decrypt your files. The bitcoin address from the decryption instructions doesnt change. No email address or other contact info is available. border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: Decryption instructions (part 2 of 2).

I noticed two things about this ransomware. First, it causes no post-infection traffic, except for a URL in the decryption instructions. That URL causes an HTTP request for an image of a diamond from www.tiffany.com (a legitimate website). Second, you must have version 4.0.30319 or higher of the .NET Framework installed, or the ransomware doesn border-width:2px” />
Shown above: An isolated HTTP request to tiffany.com for this URL? border-width:2px” />
Shown above: The ransomware didnt run properly until I updated my .NET Framework.

Forensics

The Diamond ransomware was stored in a folder under the users AppDataRoaming directory, and it used a Visual Basic (.vbe) file in the Startup folder to ensure persistence. border-width:2px” />
Shown above: border-width:2px” />
Shown above: VBE file in the startup folder calling for the Diamond ransomware.

Although the Diamond ransomware deleted itself, the Sharik/Smoke Loader stayed persistent on the infected host through an entry in the Windows registry. It had moved itself to a folder under the user border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: TeamViewer artifacts from the infected host.

Indicators of Compromise (IOCs)

The following are email headers from the malspam:

  • Date: Tue, 2017-08-08 12:36 UTC
  • From: Contract [email protected]
  • Subject: Please sign the contract.
  • X-PHP-Originating-Script: 0:class.phpmailer.php
  • Message-ID: [email protected]

The following are IOCs for network traffic related to this infection. First is the link from the email and redirect to the AWS download:

  • 192.64.119.130 port 80 – inf.hambersandp02.host – GET /
  • 52.219.84.35 port 443 – s3.us-east-2.amazonaws.com – GET /contrac9821/Sign_Contract_18727712.zip

Next is post-infection traffic during the infection to legitimate domains. None of these are inherently malicious on their own:

  • www.bing.com – GET /
  • support.microsoft.com – POST /kb/2460049
  • Various IPs over TCP ports 443 and 5938 – TeamViewer domains – TeamViewer traffic

Finally, we have Sharik/Smoke Loader doing check-in traffic and downloading the Diamond ransomware executable:

  • 178.159.36.86 port 80 – controlek01.asia – POST /
  • 178.159.36.86 port 80 – controlek01.asia – GET /mariconets.exe

SHA256 hashes related to this infection are:

Final words

I saw some Twitter traffic stating Diamond ransomware also downloads TeamViewer. However, in this case TeamViewer appears to have been downloaded by Sharik/Smoke Loader. I tried the Diamond ransomware executable on its own, and it didnt generate any TeamViewer traffic.

Once again, I cant stress how obviously malicious I find this email. Furthermore, any organization following best security practices shouldnt have anything to worry about. But this example provides a somewhat interesting infection chain, and we must remain vigilant. Theres still a possibility this malspam might actually infect someone.

Email, artifacts, and a pcap of the network traffic for todays diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Post authorWritten by