CIS CYBER ALERT

DATE ISSUED:
10/16/2014
01/16/2015 - Updated

SUBJECT:
Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan

 

View the updated version of this CIS Cyber Alert here:

http://www.cisecurity.org/cyber-alerts/2015/02232015.cfm

 

 

CIS recently became aware of a massive spam campaign targeting users in various sectors. Phishing emails used in the campaign contains a PDF attachment named Invoice621785.pdf. This attachment is a weaponized PDF document exploiting a vulnerability in Adobe Reader (CVE-2013-2729). After successful exploitation, user’s system will download additional malware from hxxp://rlmclahore.com/Resources/Search/1510out\.exe. This is a banking trojan similar to Zeus/Citadel that it targets sensitive user information including banking credentials.  As of this writing, all of the major AV products are detecting this malware as Tojan Dyre/Zbot/Fondu. 

 

UPDATED - JANUARY 16, 2015

CIS has discovered that some phishing emails may not have a malicious attachment, but may simply include a link to a malicious page that prompts the user to download a file. Most links appear to follow either of these forms:

[DOMAIN]/outlook/settings.html

[DOMAIN]/NETWEST_RELEASES/bankline.html

CIS has also discovered the possible use with/possible merger of Upatre, a trojan downloader, with the Dyre banking trojan. The CIS has observed that a spambot is consistently downloaded well after the initial download and deletion of the Upatre downloader.

 

Phishing Email Characteristics:

  • Subject:  "Unpaid invoic” [Please note the typo in the subject line]
  • Attachment: Invoice621785.pdf

 

Updated Phishing Email Characteristics - JANUARY 16, 2015

Subject lines:

  • “Wire transfer receive”
  • “Medicines here”
  • “Complaint against your company”
  • “Payment Advice - advice Ref:[xxxxxx]/CHAPS credits”
  • “Company repor” - (note the missing t in “report")
  • “Wire transfer complete”
  • “Important - New Outlook Settings”

 

 

System Level Indicators (If successful in exploitation):

  • Copies itself under C:\Windows\[RandomName].exe
  • Created a Service named ""Google Update Service” by setting the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service" 

 

Network Level Indicators:

 

First Stage Download:

    • rlmclahore\.com/Resources/Search/1510out\.exe

 

Updated First Stage Download - JANUARY 16, 2015

  • baypipo\.com/mandoc/eulu22.pdf (IP: 213.232.24\.115)
  • els-law\.com/mandoc/eulu22.pdf (IP: 192.185.146\.201)
  • leagleconsulting\.com/mandoc/team21.pdf (IP: 209.235.144\.9)
  • morph-x\.com/mandoc/page_241.pdf (IP: 67.228.164\.177)
  • coffeeofthemonth\.biz/mandoc/page_241.pdf (IP: 216.55.187\.235)
  • mrghaemi\.com/images/ml2from2.tar
  • absurdherd\.com/dev/ml2from2.tar (IP: 74.220.195\.45)
  • absurdherd\.com/dev/ml1from1.tar (IP: 74.220.195\.45)
  • absurdherd\.com/dev/heap2.tar (IP: 74.220.195\.45)
  • sdgaccounting\.com/mandoc/ml2from2.tar (IP: 64.29.145\.15)
  • skippers-products\.com/Images/ml1.tar (IP: 216.251.32\.98)

 

Second Stage C2

  • stun\.rixtelcom\.se
  • stun\.sip\.telia\.com
  • stun\.puhe.sonera\.com
  • stun\.voipbuster\.com
  • stun.rixtelecom.se
  • stun.sipgate.com
  • stun.ideasip.com
  • 37.59.48\.138
  • 62.71.2\.168
  • 188.165.227\.37
  • 77.72.174\.163
  • 77.72.174\.161
  • 77.72.174\.165
  • 77.72.174\.167
  • 217.10.68\.152
  • 208.97.25\.20

 

Updated Second Stage C2 - JANUARY 16, 2015

  • 109.201.154\.146
  • 176.31.69\.179
  • 178.32.29\.191
  • 178.32.74\.37
  • 178.32.74\.38
  • 178.32.74\.41
  • 195.154.233\.66
  • 195.154.235\.120
  • 195.154.240\.188
  • 195.154.241\.47
  • 195.154.242\.224
  • 195.154.242\.226
  • 202.153.35\.133
  • 212.56.214\.158
  • 37.59.67\.190
  • 46.165.206\.253
  • 46.165.250\.11
  • 78.46.66\.72
  • 85.17.30\.31
  • 85.25.148\.183
  • 85.25.149\.32
  • 91.121.221\.171
  • 91.233.116\.160
  • 94.100.22\.45
  • 95.211.156\.95
  • 95.211.216\.97

 

Please note that the Domain and IP indicators above were observed during our analysis and the list does not represent all network indicators for this campaign.

 

We also noted that the network communication is using a certificate with organization name “internet widgits pty ltd”.

 

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

 

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

 

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729