Tuesday, August 16, 2016

Kelihos Botnet sending geo-targeted Desjardins Phish to Canadians

As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses.  Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:

<== French Desjardins Phishing Email || Google Translate ==> 
Some of the email subjects being used include:

Subject:  Renouvellement de votre compte Desjardins
Subject:  Solutions en ligne Desjardins
Subject:  Veuillez regulariser votre compte Acces
Subject:  Desjardins Reactivation
Subject:  Reactivation de votre compte AccesD

Each of these URLs is currently resolving to the IP address


Here is a pictorial walk-through of the phishing website:

We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:

After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:

And lastly, the phisher's try to get any and all possible additional information they can!

Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!

Beware, Canadian friends!   And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!

Friday, August 12, 2016

Kelihos botnet sending Panda Zeus to German and UK Banking Customers

On August 11th and August 12th the Kelihos botnet has been observed sending malware again.  Unlike the Ransomware that we've seen it send recently (see Kelihos spamming American Airlines Ransomware and Kelihos spamming Dutch Wildfire Ransomware ), this time it is sending links to a Word document that will drop a variant of Zeus.

One interesting observation about the spam is that it is doing "geo-targeting" based on the ccTLD of the email recipient.  Max Gannon, a UAB malware researcher in our lab, has modified his copy of Wireshark with a couple nice extra columns -- "imf.to" "imf.from" "imf.subject"

Now we can do a filter in Wireshark like this:

Filter:  imf.to contains .co.uk

which reveals only the subject lines that were sent to people in the UK!

The subjects in this run for .co.uk people were:

Subject: Barclays Personal Banking
Subject: Detected suspicious transaction on your account
Subject: HSBC Personal Banking
Subject: Incomplete transaction
Subject: Locked transaction

(There was also one "The truth about male power" but that's just a counterfeit pharmaceutical website, which is the main thing Kelihos spams when it is not on a special mission!)

Here's an example of the Barclays spam:

And an example of the HSBC spam:

The .de people also got a special German invitation to be infected:

Subject: Bitte beachten Sie in ihre Postbank konto
Subject: Geehrter Kunde
Subject: Info von ihre Bank
Subject: Inkasso von Anton Weber
Subject: Mahnung abhleichen
Subject: Postbank AG
Subject: Postbank info abteilung
Subject: Rechnung bei Postbank AG
Subject: Rechtsanwalt T. Hoffman
Subject: Von Ihre Bank
Subject: Von Postbank
Subject: Weitere Mahnung erfolgt in Ihre bank
Subject: Wir erwarten die Zahlung

(And they also had a few pill-spam subject, "Win your female partner's addiction", etc.)

Here's one of the PostBank samples:

The malicious URL in each of these emails, dropped from several sites, including:

 www dot 1800cloud dot com / infos / report dot doc
 guestlistalamode.com / bank / report dot doc

VirusTotal hint leads to . . . ZEUS!

A very curious thing when we looked at the file on VirusTotal is that there is an "EXIF comments" section that contains a goodly blob of characters that looked ASCII range to me ... so ...

when decoded by an awesome tool former UAB MS/CFSM student Vicki Carleton built for me 8-) ...

becomes a URL!

and THAT ... is Zeus! (with an 8 of 55 detection rate at VirusTotal as of this writing...)

The Zeus file, when executed, creates a .bat file, which deletes itself after running . . . and then stops me because it is 5:00 PM and I'm hungry . . .

The rest, as we say in Academia, is left as an exercise for the reader . . .

We'll let others dig into the actual Zeus malware that is dropped next, but for now, we have it on good authority that this is the "Panda Zeus" malware, discovered by Fox-IT back in April and blogged about more recently by Arbor Networks and IBM Security Intelligence.

The other Kelihos spam?

100% of the ".com", ".net", and ".pl"  addresses were pill spam
Subject: Achieve pure fun
Subject: Ancient secret of immeasurable nights of happiness
Subject: Are you ready to amaze your woman this night?
Subject: Big dignity will please your lady
(ok, i'll stop ...)

The only other geo-targeted spam was in Italian and targeted only at ".it" email addresses. It seemed to be a romance scam invitation.   (lyudmilafedoji@gmail.com wants me, and a few million other people, to "scrivere" her "su un personal mail.:)

Lyudmilafedoji had her own set of subject lines:
Al di mare grande, si sei ora?
Avete tuo piani per stasera?
Buon Pomeriggio, come stai?
Buona sera, siamo a conoscenza.
Ciao, come ti nome?
Ciao, scrivimi me.
Ciaooo, io ti conosco!
Forse tu sei tu persona che sara felice
Hi, come stai?
Io voglio il vero amore!
Io voglio incontrarmi con tuo.
and many more . . .
(So for my Italian readers, beware!  She's interested in EVERYONE!)