The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable ".ENC" file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.
Malcovery Security's malware analyst Brendan Griffin let me know about this new behavior on January 27, 2014, and has seen it consistently since that time.
On February 1st, I reviewed the reports that Malcovery's team produced and decided that this was a trend we needed to share more broadly than just to the subscribers of our "Today's Top Threat" reports. Subscribers would have been alerted to each of these campaigns, often within minutes of the beginning of the campaign. We sent copies of all the malware below to dozens of security researchers and to law enforcement. We also made sure that we had uploaded all of these files to VirusTotal which is a great way to let "the industry" know about new malware.
To review the process, Cutwail is a spamming botnet that since early fall 2013 has been primarily distributing UPATRE malware via Social Engineering. The spam message is designed to convince the recipient that it would be appropriate for them to open the attached .zip file. These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.
As our industry became better at detecting these downloads, the criminals have had a slightly more difficult time infecting people. With the change last week, the new detection rate for the Zeus downloads has consistently been ZERO of FIFTY at VirusTotal. (For example, here is the "Ring Central" .enc file from Friday on VirusTotal -- al3101.enc. Note the timestamp. That was a rescan MORE THAN TWENTY-FOUR HOURS AFTER INITIAL DISTRIBUTION, and it still says 0 of 50. Why? Well, because technically, it isn't malware. It doesn't actually execute! All Windows EXE files start with the bytes "MZ". These files start with "ZZP". They aren't executable, so how could they be malware? Except they are.
In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.
I am grateful to William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure Works, and Boldizsár Bencsáth from CrySys Lab in Hungary who were three researchers who jumped in to help look at this with us. Hopefully others will share insights as well, so this will be an on-going conversation. (UPDATE: Boldizsár has published details of how the encoding works -- the file is first compressed and then XOR'ed with a 32-bit key). Upatre reverses the process to create the .exe file)
UPATRE campaigns that use Encryption to Bypass Security
Here are the campaigns we saw this week, with the hashes and sizes for the .zip, the UPATRE .exe, the .enc file, and the decrypted GameOver Zeus .exe file that came from that file. For each campaign, you will see some information about the spam message, including the .zip file that was attached and its size and hash, and the .exe file that was unpacked from that .zip file. Then you will see a screenshot of the email message, followed by the URL that the Encrypted GameOver Zeus file was downloaded from, and some statistics about the file AFTER it was decrypted.
ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that many different criminals are paying to use this infrastructure.
| Campaign: 2014-01-27.ADP | Messages Seen: 2606 | Subject: Invoice #(RND) |
From: ADP - Payroll Services | payroll.invoices@adp.com | | Invoice.zip | 9767 bytes | b624601794380b2bee0769e09056769c |
| Invoice.PDF.exe | 18944 bytes | 8d3bf40cfbcf03ed13f0a900726170b3 |
|
![]()
| dcmsservices.com/images/stories/slides/pdf.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| electriciansdublinireland.com/wp-content/uploads/2014/01/pdf.enc | 287920 bytes | 09ced08856101f86c02890f4373623a4 |
| decrypted | 338432 bytes | b63415efcc70974269bd9d8da10b3ac1 |
| Campaign: 2014-01-27.BBB | Messages Seen: 776 | Subject: FW: Complaint Case (RND) |
From: Better Business Bureau | (Random)@newyork.bbb.org | | Case 463252349343.zip | 9762 bytes | 1ed259d9e7474cfe56df485be479ea97 |
| Case 463252349343.exe | 18944 bytes | 809ae1af04ab921aa60efeb7083d21d7 |
|
![]()
| sigmau.co.uk/templates/hot_spicy/images/glass/pdf.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| skipbagsdublin.com/wp-content/uploads/2014/01/pdf.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| Campaign: 2014-01-27.HMRC | Messages Seen: 302 | Subject: Important Information for Employers |
From: HMRC Employer Alerts & Registrations | employers@alerts.hmrc.gov.uk | | Employer_Bulletin_Issue_46_79520EEE31.zip | 7218 bytes | 413cda07e774a5ed7f98279dd9e8a087 |
| Employer_Bulletin_Issue_46_79520EEE31.exe | 17920 bytes | 2616babcdf0c5b9086ff63fa6682fe07 |
|
![]()
| all-monitor.com/images/pdf.enc | 282449 bytes | 9d1b8f296b5bfb0f4817c2aacb8815a3 |
| decrypted | 289280 bytes | fa4d35b63a8485bc7c0b167ca9358b76 |
| Campaign: 2014-01-27.HSBC | Messages Seen: 404 | Subject: FW: Payment Advice - Advice Ref:[GB(RND)] / ACH credits / Customer Ref:[pay run 14/11/13] |
From: HSBC Advising Service | advising.service.(RND).(RND).RND)@mail.hsbcnet.hsbc.com | | PaymentAdvice.zip | 7162 bytes | c17396cddadf201f83074615824240c0 |
| PaymentAdvice.exe | 17920 bytes | e0595c4f17056e5599b89f1f9cf52d83 |
|
![]()
| afrolatinotala.com/images/pdf.enc | 282448 bytes | 414755f65ebbaf52669aaab649b3f274 |
| decrypted | 289280 bytes | 5a393b283f42edd17c7da2625b8e1045 |
| Campaign: 2014-01-27.Skype | Messages Seen: 275 | Subject: Skype Missed voice message |
From: Administrator | docs(#)@(many) | | Skype-message.zip | 10147 bytes | 79fb2e523fe515a6dac229b236f796ff |
| Voice_Mail_Message.exe | 18944 bytes | 6e4857c995699c58d9e7b97bff6e3ee6 |
|
![]()
| rockthecasbah.eu/templates/beez/css/wav.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| Campaign: 2014-01-27.VoiceMessage | Messages Seen: 271 | Subject: Voice Message from Unknown |
From: Administrator | docs(#)@(many) | | VoiceMessage.zip | 7273 bytes | d2070f6a15312dec7882ca0d9ec7f431 |
| VoiceMessage.exe | 17920 bytes | 8a739776cf8316eba1bfae50e020c8f1 |
|
![]()
| akhrisawal.com/images/marquee/wav.enc | 282448 bytes | 73c811d0794de15906225d7d936fc6b7 |
| decrypted | 289280 bytes | 2b0db77ac980be10b9ef4562269d8db4 |
| ayeshaomar.com/images/host/wav.enc | 282446 bytes | 1d30d5fe55585d24cd15ef97afb7322c |
| decrypted | 289280 bytes | b993b4cb332b979d6f8509f5765abfd4 |
| Campaign: 2014-01-28 DeptTreasury | Messages Seen: 223 | Subject: Department of Treasury Notice of Outstanding Obligation - Case (RND) |
From: | support@salesforce.com | | FMS-Case-(RND).zip | 9462 bytes | 067617d990a861f87304bb08b6628524 |
| FMS-.exe | 18944 bytes | 40afe219c14a0a5f3a4ddd6c8e39bc23 |
|
![]()
| almotawer.biz/img/pdf.enc | 328025 bytes | 41d57ca4b8705247186e2f30d911d811 |
| decrypted | 387584 bytes | 7178a455ee9a0d6e42465ad9967a177a |
| imagevillage.co.uk/images/pdf.enc | 328025 bytes | 41d57ca4b8705247186e2f30d911d811 |
| decrypted | 387584 bytes | 7178a455ee9a0d6e42465ad9967a177a |
| Campaign: 2014-01-28.IRS | Messages Seen: 192 | Subject: Complaint Case (RND) |
From: IRS.gov | fraud.dep@irs.gov | | Complaint_RND.zip | 7240 bytes | f20768ed9f771a92950a5f5ab14bf57f |
| Complaint_.exe | 17408 bytes | 8163d272c4975b1d7ed578b4d24b3d2a |
|
![]()
| farmyarddog.co.uk/images/pdf.enc | 282486 bytes | 97b200826b7a526d91fda4c56dc438ae |
| decrypted | 289276 bytes | 542a5a6f04ddcad3effc72121c59e332 |
| hamdanicoffee.com/up/pdf.enc | 282486 bytes | 97b200826b7a526d91fda4c56dc438ae |
| decrypted | 289276 bytes | 542a5a6f04ddcad3effc72121c59e332 |
| Campaign: 2014-01-28.NewVoiceMessage | Messages Seen: 165 | Subject: New Voice Message |
From: Voice Mail | (RND)@(reflective) | | VoiceMail.zip | 6502 bytes | 2a048dfb3429155d552cb0c37b499b51 |
| VoiceMail.exe | 17920 bytes | dc2e2f04a01009f3193b0df4ba0f6e81 |
|
![]()
| hailantrdg.com/scripts/wav.enc | 282489 bytes | 11a55dd1a756dbba6e7d404a7c22544a |
| decrypted | 289280 bytes | cae9c9614affac694320215228efcf27 |
| morethanshelters.co.uk/images/banners/wav.enc | 282489 bytes | 11a55dd1a756dbba6e7d404a7c22544a |
| decrypted | 289280 bytes | cae9c9614affac694320215228efcf27 |
| Campaign: 2014-01-28.RingCentral | Messages Seen: 7720 | Subject: New Fax Message on 1/22/2013 |
From: RND | RND@RND | | fax.zip | 9929 bytes | afa90762f6412173cf6e0e6d1d57531d |
| fax.doc.exe | 18944 bytes | 81e425646f68d3adaddca0cf398f595f |
|
![]()
| ren7oaks.co.uk/images/al2701.enc | 441073 bytes | f626ad2af056644ff4717e1cd80c6da3 |
| decrypted | 484352 bytes | c7c4a875b90c86136e497af8ffc9a9e0 |
| salahicorp.com/up/al2701.enc | 441073 bytes | f626ad2af056644ff4717e1cd80c6da3 |
| decrypted | 484352 bytes | c7c4a875b90c86136e497af8ffc9a9e0 |
| Campaign: 2014-01-28.WhatsApp | Messages Seen: 767 | Subject: Missed voice message, "(timestamp)" |
From: WhatsApp Messenger | ctaylor@magma.net | | Missed-message.zip | 6492 bytes | 494d6095b540dbc9f570e22b717a32df |
| Missed-message.exe | 17920 bytes | a4c01917b7d48aa7c1c9a2619acb5453 |
|
![]()
| inspireplus.org.uk/images/banners/wav.enc | 282491 bytes | 33070eda34ccea632c3b4007a1e2beee |
| decrypted | 289268 bytes | dc5b998fd7a6f29ebac6365654d57609 |
| zubayen.com/up/wav.enc | 282491 bytes | 33070eda34ccea632c3b4007a1e2beee |
| decrypted | 289268 bytes | dc5b998fd7a6f29ebac6365654d57609 |
| Campaign: 2014-01-28.Skype | Messages Seen: 574 | Subject: Skype Missed voice message |
From: Administrator | docs(#)@(many) | | Skype-message.zip | 9163 bytes | dfa3db3c14ae1e369a4a9df6cb82832f |
| Skype-message.exe | 18944 bytes | ab703881cb4b3fbd5ee13df30b7bb8d7 |
|
![]()
| Campaign: 2014-01-29.RingCentral1 | Messages Seen: 3811 | Subject: New Fax Message on 1/29/2013 |
From: RND | RND@*.ru | | fax.zip | 9473 bytes | 0842e4bcc8af1f0d54519a99834be218 |
| fax.pdf.exe | 18432 bytes | d309df26dd91294dc4acd5fb78aa98f5 |
|
| Campaign: 2014-01-29.RingCentral1 | Messages Seen: 2887 | Subject: New Fax Message on 1/22/2013 |
From: RND | RND@RND | | fax.zip | 9929 bytes | afa90762f6412173cf6e0e6d1d57531d |
| fax.pdf.exe | 19968 bytes | 5db38bd493ef2f9b35bb0015822b493d |
|
| Campaign: 2014-01-29.RingCentral1 | Messages Seen: 2353 | Subject: New Fax Message on 1/29/2013 |
From: RND | RND@*.ru | | fax.zip | 9994 bytes | 2d65747503e7b251ad597a650f352f4e |
| fax.doc.exe | 18944 bytes | 81e425646f68d3adaddca0cf398f595f |
|
![]()
| internetauctions.ca/img/apps/al2901.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| Campaign: 2014-01-29.eFax | Messages Seen: 1016 | Subject: Fax transmission: (RND-RND-RND-RND).zip |
From: eFax Corporate | message@inbound.efax.com | | (RND-RND-RND-RND.zip) | 9628 bytes | 9f2613dabe2a89ac21e9b55b6df51ebc |
| {fax num123}.exe | 17920 bytes | 89f45f68a0568996a6a109a1d04b6670 |
|
![]()
| amy-escort.com/amy/pdf.enc | 281970 bytes | 42dda6f13b2c8df96321570e1fa84fe8 |
| decrypted | 289785 bytes | ee038bdd137f518614599275add5b9bb |
| pakmailbarrie.com/images/banners/pdf.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| Campaign: 2014-01-29.LloydsTSB | Messages Seen: 551 | Subject: January Spending |
From: RND | RND@lloydstsb.com | | January.zip | 9586 bytes | ea42b883dab711810243e8f138438733 |
| January.exe | 17920 bytes | c28d9a0b3b2643a01fd3f3250a39a511 |
|
![]()
| airconexpress.com.au/images/deac/pdf.enc | 281971 bytes | 9c790bfd6def569362483192d6e1b9ba |
| decrypted | 289800 bytes | 82dd0f87007fc0149183e1de8f0913f2 |
| numantis.com/images/banners/pdf.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| Campaign: | Messages Seen: 166 | Subject: Voice Message from Unknown |
From: Administrator | docs(#)@(many) | | Message.zip | 8748 bytes | ff2c3e6b875803945b320e438304f506 |
| VoiceMessage.exe | 17920 bytes | 13d6046c575abe9c3072067135a57996 |
|
![]()
| Campaign: 2014-01-30.BanquePopulaire | Messages Seen: 259 | Subject: Numero de cas: RND |
From: Banquepopulaire.fr | response-automatique@banquepopulaire.fr | | Cas_RND.zip | 9476 bytes | a21cd2697687ae6eb1b15175a8fb0ae2 |
| Cas_01302014.exe | 17920 bytes | 968779b34f063af0492c50dd4b6c8f30 |
|
![]()
| doradoresources.com/images/ie6/pdf.enc | 282033 bytes | 8cce7406f943daa81ef31411247491d3 |
| decrypted | 300544 bytes | 092eb58dce516414908ecf6f3156372a |
| sportsstoreonline.in/wp-content/uploads/2013/03/pdf.enc | OFFLINE bytes | OFFLINE |
| decrypted | bytes | |
| Campaign: 2014-01-30.Remit | Messages Seen: 206 | Subject: FW: Last Month Remit |
From: Administrator | docs(#)@reflective | | Remit.(domain).zip | 9465 bytes | 145d3da149cc8fa3bef38af648713fb6 |
| Remit.exe | 17920 bytes | 84a6030c8265b33c3c4e68d29975bd76 |
|
![]()
| excelbizsolutions.com/templates/pdf.enc | 282036 bytes | 5c7d5797e1f46c29dd9c7a9976d9d359 |
| decrypted | 299008 bytes | aaf1097da1e50b7fd8d8c5e1a95acd80 |
| poragdas.com/images/Porag/pdf.enc | 282036 bytes | 5c7d5797e1f46c29dd9c7a9976d9d359 |
| decrypted | 299008 bytes | aaf1097da1e50b7fd8d8c5e1a95acd80 |
| Campaign: 2014-01-30.Skype | Messages Seen: 42 | Subject: Skype Missed voice message |
From: Administrator | docs(#)@reflective | | Missed voice message.zip | 9336 bytes | 40453639a6fbd58b1d30099666ad32a |
| Missed voice message.exe | 18944 bytes | 30e5d9d4d7da572fdef6f7253950a53c |
|
![]()
| aatextiles.com/images/gallery/wav.enc | 328784 bytes | 75a9d6fd9fe34a4ff737c987938a8f6c |
| decrypted | 386048 bytes | f2bef403482c4dd70bd4e1be1fd4af8f |
| profitera.com/img/newsletter/auto/wav.enc | 328784 bytes | 75a9d6fd9fe34a4ff737c987938a8f6c |
| decrypted | 386048 bytes | f2bef403482c4dd70bd4e1be1fd4af8f |
| Campaign: 2014-01-30.AssortedFax | Messages Seen: 2410 | Subject: Corporate eFax message from (RND)
jConnect fax from (RND) - (RND) pages, Caller_ID (RND) |
From: eFax Corporate
jConnect
Dun & Bradstreet | message / case.alert@inbound.j2.com
dnb.com
inbound.efax.com | | FAX_001_RND.zip | 10293 bytes | 18b72825aecde011bdc92c1526491571 |
| FAX_001_20143001_814.exe | 18944 bytes | 915fdc8403b26bac79801fa1a341495d |
|
![]()
![]()
![]()
(These three all use the same binaries)
| Campaign: | Messages Seen: 1627 | Subject: New Fax Message on 01/29/2013 |
From: RND | RND@*.ru | | fax.zip | 10095 bytes | 8627ce01daaebc35610d05cdbdbde612 |
| fax.pdf.exe | 18432 bytes | 465c2656c07ab05e9349920f53dd0deb |
|
| Campaign: 2014-01-30.LaPoste | Messages Seen: 101 | Subject: Scan de (RND) |
From: LaPoste | reponse-automatique@laposte.net | | Scan_RND_RND_RND.zip | 9494 bytes | daaf11e91c3cc3506042d633373aabd3 |
| Scan_301_30012014_001.exe | 17920 bytes | 968779b34f063af0492c50dd4b6c8f30 |
|
![]()
| Campaign: 2014-01-30.Staples | Messages Seen: 245 | Subject: Your order is awaiting verification! |
From: Staples Advantage Orders | Order@staplesadvantage.com | | Order_RND.zip | 9465 bytes | e669d0ff0238ed2f3601c01f1a532728 |
| Order.exe | 17920 bytes | 84a6030c8265b33c3c4e68d29975bd76 |
|
![]()
| Campaign: 2014-01-31.RingCentral1 | Messages Seen: 3488 | Subject: New Fax Message on 01/29/2014 |
From: RND | RND@*.ru | | fax.zip | 9815 bytes | d373a3e96519612896facb6f18e89785 |
| fax.pdf.exe | 19968 bytes | 9a836550c9e74a46076a7292fb0d4ab1 |
|
![]()
| aim2go.com/WEB-INF/al3101.enc | 329132 bytes | ded1b7f7ea934faf84a8dcc5011316cd |
| decrypted | 390144 bytes | f07d3afab1eb150e8a315596b5fb23f9 |
| bandwagondesign.com/scripts/al3101.enc | 329132 bytes | ded1b7f7ea934faf84a8dcc5011316cd |
| decrypted | 390144 bytes | f07d3afab1eb150e8a315596b5fb23f9 |
