Wednesday, September 28, 2011

Spamvertised 'Uniform Traffic Ticket' and 'FDIC Notifications' Serving Malware - Historical OSINT

The following intelligence brief will summarize the findings from a brief analysis performed on two malware campaigns from August, namely, the spamvertised Uniform Traffic Tickets and the FDIC Notification.

_Uniform Traffic Tickets

Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip

Detection rates:
Ticket.exe - Gen:Trojan.Heur.FU.bqW@aK9ebrii -  Detection rate: 37/43 (86.0%)
MD5   : 6361d4a40485345c18473f3c6b4b6609
SHA1  : 50b09bb2e0044aa139a84c2e445a56f01d70c185
SHA256: ca67a14bfed2a7bc2ac8be9c01cb17d5da12b75320b4bad4fe8d8a6759ad9725

Ticket1.exe - Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8%)
MD5   : e2a2d67b8a52ae655f92779bec296676
SHA1  : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf
SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f73f8e16d1364c7fd021a90cc

Upon execution the samples phone back to:
sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the same IP is also survey-providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru
rattsillis.com/ftp/g.php - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com
rattsillis.com/pusk3.exe - 195.189.226.109; 178.208.77.247; 195.189.226.107; 195.189.226.108 - AS41018 - Email: admin@jokelimo.com

DNS emulation of ns1.lemanbrostm.info reveals two domains belidiskalom.com - 178.208.76.175 - Email: admin@belidiskalom.com and lemanbrostm.info - Email: coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at rattsillis.com:
c6dab856705b5dfd09b2adbe10701b05
f167213c6a79f2313995e80a8ac29939
f4764cce5c3795b1d63a299a5329d2e2
dae9e7653573478a6b41a62f7cb99c12
69c983c9dfaf37e346004c9aaf54a3d0
d875b8e32a231405c7fa96b810e9b361
628270c6e44b0fa21ef8e87c6bc36f57
9b69dabd876e967bcd2eb85465175e3b
0434c084dba8626df980c7974d5728e1

Related binaries and associated MD5 modifications:
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0
rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 3ea4e9fd297b3058ebbb360c1581aaac;
rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62f7cb99c12; b73705c097c9be9779730d801ad098e0; d7952c1e77d7bb250cdfa88e157fb5a8

Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf

sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; ebf7278a7239378e7d70d426779962ce
sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a
sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561ed91e77b4

sdkjgndfjnf.ru/blood.exe -  MD5: 577cf0b7ca3d5bcbe35764024f241fa8

Detection rate for blood.exe:
blood.exe - Trojan-Spy.Win32.Zbot - 25/44 (56.8%)
MD5   : 577cf0b7ca3d5bcbe35764024f241fa8
SHA1  : 30f542a44d06d9125cdfbdd38d79de778e4c0791
SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18

_FDIC Notification

Spamvertised attachments: FDIC_Document.zip

Detection rate:FDIC_Document.exe -  Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5%)
MD5   : 7b5a271c58c6bb18d79cd48353127ff6
SHA1  : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a
SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0

Upon execution phones back to:
rattsillis.com/ftp/g.php
rattsillis.com/blood.exe
rattsillis.com/blood.exe - MD5: 23795cb9b2f5e19eff0df0cf2fba9247; 82b6f18b130a1f0ce1ce928d0980fab0

What's particularly interesting is the fact that both campaigns have been launched by the same cybercriminal, with the same C&C - rattsillis.com also seen in the spamvertised ACH Payment Canceled campaign.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Sunday, September 11, 2011

Summarizing 3 Years of Research Into Cyber Jihad

On this very special day, I'd like to honor the fallen by summarizing my research into cyber jihad, a topic I'm still highly passionate about. Enjoy and share it with your social circle!
  1. Tracking Down Internet Terrorist Propaganda
  2. Arabic Extremist Group Forum Messages' Characteristics
  3. Cyber Terrorism Communications and Propaganda
  4. A Cost-Benefit Analysis of Cyber Terrorism
  5. Current State of Internet Jihad
  6. Analysis of the Technical Mujahid - Issue One
  7. Full List of Hezbollah's Internet Sites
  8. Steganography and Cyber Terrorism Communications
  9. Hezbollah's DNS Service Providers from 1998 to 2006
  10. Mujahideen Secrets Encryption Tool
  11. Analyses of Cyber Jihadist Forums and Blogs
  12. Cyber Traps for Wannabe Jihadists
  13. Inshallahshaheed - Come Out, Come Out Wherever You Are
  14. GIMF Switching Blogs
  15. GIMF Now Permanently Shut Down
  16. GIMF - "We Will Remain"
  17. Wisdom of the Anti Cyber Jihadist Crowd
  18. Cyber Jihadist Blogs Switching Locations Again
  19. Electronic Jihad v3.0 - What Cyber Jihad Isn't
  20. Electronic Jihad's Targets List
  21. Teaching Cyber Jihadists How to Hack
  22. A Botnet of Infected Terrorists?
  23. Infecting Terrorist Suspects with Malware
  24. The Dark Web and Cyber Jihad
  25. Cyber Jihadist Hacking Teams
  26. Two Cyber Jihadist Blogs Now Offline
  27. Characteristics of Islamist Websites
  28. Cyber Traps for Wannabe Jihadists
  29. Mujahideen Secrets Encryption Tool
  30. An Analysis of the Technical Mujahid - Issue Two
  31. Terrorist Groups' Brand Identities
  32. A List of Terrorists' Blogs
  33. Jihadists' Anonymous Internet Surfing Preferences
  34. Sampling Jihadists' IPs
  35. Cyber Jihadists' and TOR
  36. A Cyber Jihadist DoS Tool
  37. GIMF Now Permanently Shut Down
  38. Mujahideen Secrets 2 Encryption Tool Released
  39. Terror on the Internet - Conflict of Interest
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.