Friday, November 29, 2013

WellsFargo spam serving infostealing malware



Not that new, but still noteworthy the spammers seem to be abusing WelssFargo (an American bank) as trusted sender. This is simple mail spoofing.


                                                Mail from "Georgina Franks"

Some example senders (where it seems to come from):
Evelyn_Piper@wellsfargo.com
Georgina_Franks@wellsfargo.com
Noe_Zavala@wellsfargo.com

As far as I could find, these email addresses do not even exist.

The mail itself is actually coming from the Pushdo botnet. Example IPs:

173.167.205.149 - IPVoid Result
209.181.66.178 - IPVoid Result

All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:



MD5: 47e739106c24fbf52ed3b8fd01dc3668
VirusTotal Report
Anubis Report
Malwr Report


This malware is known as Fareit (or Tepfer). According to Microsoft:

Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.


When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:



                                        List of programs it tries to extract username/password from

So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:

                                                             Cyber Theft Ring details

The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!

Conclusion

Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:Enable Viewing of Filename Extensions for Known File Types
Install an antivirus and antimalware product and keep it up-to-date & running.
If you're in an organisation, you might want to block the following IPs (quite a long list):

173.255.213.171
5.199.171.133
50.141.158.229
62.149.131.162
62.149.131.162
69.115.119.227
69.128.126.198
76.226.112.216
76.226.112.216
78.140.131.151
82.211.180.109
89.122.155.200
90.156.118.144
95.241.244.184
107.193.222.108
107.211.213.205
108.233.198.131
108.240.232.212
116.202.222.102
142.136.161.103
173.255.213.171
188.217.207.224
198.118.112.110
211.209.241.213
212.182.121.226
108.254.22.166
108.74.172.39
112.78.142.66
122.178.149.88
173.194.67.105
173.194.67.94
173.201.59.32
173.201.59.32
173.254.68.134
173.254.68.134
178.40.101.100
181.67.50.91
182.68.130.230
184.80.8.18
187.153.52.160
189.254.111.2
190.153.51.122
190.21.64.25
199.30.90.80
199.7.177.218
2.180.24.120
2.230.133.66
200.180.176.65
201.122.96.80
201.245.14.237
201.245.14.237
207.204.5.170
207.204.5.170
216.227.73.207
24.115.24.89
24.120.165.58
41.34.11.17
64.4.10.33:123
65.131.15.62
66.63.204.26
68.162.220.34
69.26.171.181
69.77.132.197
69.92.6.139
71.43.167.82
74.120.9.245
74.125.24.105
74.125.24.94
74.240.17.144
78.100.36.98
78.152.96.70
79.29.227.158
79.52.113.31
81.111.62.181
83.172.126.39
84.59.129.23
84.59.138.75
85.100.41.9
87.29.153.193
87.66.14.62
87.66.14.62
90.189.54.253
91.236.245.22
94.67.83.244
94.67.83.244
95.101.0.104
95.249.114.32
98.103.34.226
98.67.162.178
99.159.193.22
99.36.163.147
99.48.126.246
99.5.234.38
99.98.209.3
Note that these are IPs the malware communicates to. In most cases, they are harmful, but keep in mind some IPs might be legit, as the malware authors want to test for connectivity by connecting to Google for example. So, if you plan to block on IP, be sure to cross-check on IPvoid or DomainTools.

Stay safe.


No comments:

Post a Comment