Posted October 29, 2015
By Steven Weinstein
From: "Interfax Service"
Subject: You have received a new fax, document 0000325485
Date: October 26, 2015 at 11:12:34 PM EDT
Reply-To: "Interfax Service"
New incoming fax document.
Please, download fax document attached to this email.
Filesize: 292 Kb
Scanned at: Mon, 26 Oct 2015 18:49:57 +0300
Scanned by: Fred Greer
Scan duration: 22 seconds
Resolution: 500 DPI
Pages scanned: 11
Document name: fax-0000325485.doc
Thanks for choosing Interfax!
After simple deobfuscation:
The first payload location was no longer serving malware, but the second and third locations were actively distributing malware at the time of this writing: DB8BCD3EA3F538BA8E685DB017C9417E (16/56 on VirusTotal) and 2EED0E65AE1FCA2E9C0D3902211AC832 (5/56 on VirusTotal) respectively.
If a download is successful, the PE (portable executable) file is then written to disk in the %TEMP% directory with filename 8949702.exe or 8949703.exe (the one that was not able to be retrieved would have been 8949701.exe), and then executed.
Upon execution of 2EED0E65AE1FCA2E9C0D3902211AC832, the following network indicators were observed:
POST /gate/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pomppondy[.]net User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Length: 8
GET /verify HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: i4uvsr74mnm8a.ddns[.]net User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
DNS requests for the following Dynamic DNS domains were also observed (none resolved):
Full behavioral analysis of the file can be seen at the link below:
Additionally, LookingGlass ScoutVision has observed 54.148.180[.]204 intermittently acting as a C&C server as early as August 10, 2015, and 5.230.4[.]28 also as a C&C as early as October 16th, which is the same date that DNS requests for pomppondy[.]net were first observed.
Recommended Action: LookingGlass recommends blocking all of the above domains and IP addresses.