I have received something a bit weird and wonderful this Saturday morning. I can’t quite work out what malware it is supposed to deliver. I can’t get anything & Anyrun fails using a 32 bit VM. ( a subsequent run using a W10 64 VM and setting to MITM did give the complete chain, but I still don’t know what is actually is. It looks like some sort of keylogger.
I saw a similar campaign spoofing well known delivery companies back in March 2018 where it was discovered that the delivery chain was being called ” Snatchloader” which was delivering Ramnit banking Trojan at that time.
It all starts with an email pretending to be a delivery notification with the subject of “none, Important notice about your package DSAF598011” [ probably random numbered] coming from email@example.com with a link that will download zip file containing an image and a shortcut link file which contacts a long chain of sites to eventually download a binary.
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
It looks like the bad actors have messed up slightly while sending the emails because they have not used a correct recipient’s details in the email & instead have inserted the word “none” which should flag it to anybody receiving it.
The delivery chain in contrast is very well done & very difficult to follow.
You can now submit suspicious sites, emails and files via our Submissions system
We start with the link in the email
https://nuestradelsol.com/customer-area/pack-DSAF598011 which delivers a zip file pack-DSAF598011.zip : Extracts to: an image file & a shortcut link file pack-DSAF598011.lnk Current Virus total detections: Anyrun App W7 32 bit | Anyrun App W10 64bit using MITM |
Once you extract the link file that then contacts https://tripfod.com/aret/now.ps1 which in turn contacts https://rebomcap.eu/sload/2.0/p2.ps1 which contacts https://rebomcap.eu/sload/2.0/hostp1.txt which contacts one of these 3 sites https://rebomcap.eu/sload/,https://leasviller.eu/sload/,https://xanderfar.eu/sload/ and downloads https://rebomcap.eu/sload/documents/update.txt ( which is an encrypted certificate that gets decoded to a working .exe file ) VirusTotal
It looks like loads of screenshots and data is sent to https://rebomcap.eu/sload which has a log in panel. As usual there are masses of other .eu domains involved in this campaign. You can see the details on the Anyrun App reports
One important thing to mention is that running the lnk file ( in Anyrun VM, so I don’t know if same happens on a real computer) gives a message saying error reading file, contents are corrupted, with a yes/no option. Selecting yes runs the infection chain. I am assuming this is a fake error set to display to try to fool the victim.
One of the emails looks like:
Date: Sat 30/06/2018 07:46
Subject: none, Important notice about your package DSAF598011
We are pleased to report that the following item will dispatch sooner than expected.
Your order confirmation is below. Thank you again for your business.
Billing Information: Payment Method:
Shipping Information: Shipping Method:
Shipping Option standart
Your Order DSAF598011 Details
Submissions or comments which are in any way defamatory, abusive, obscene, unlawful, sexist, racist or which may in any way cause offence to any person are strictly prohibited. You must not use any abusive language, be aggressive, swear, threaten, harass or abuse any other person including but not limited to other users of this Website.
All information which You submit should be accurate, truthful and should not be copied.
You must use Your own identity at all times when using the Website and should ensure that all information which You provide is accurate and up to date to the best of Your knowledge. You must not use information about any other person except if You have their permission to do so.
You must not corrupt the Website, flood it with information causing it to malfunction or use any features which may affect the Website such as any worms, viruses or similar harmful elements. The use of spam (that is, multiple, unsolicited or undesired bulk e-mails) is also forbidden.
We will not be liable for any loss or damage which You suffer as a result of any harmful material infecting Your computer, data or other material due to Your use of Our Website.
If You have a password as part of Our security procedures, You must treat that information as confidential and must not disclose it to anyone.
We may refuse access to this Website to anyone who does not comply with these Terms.
Section B: Terms of Sale
6. OUR AGREEMENT FOR THE SALE OF GOODS AND THE ORDERING PROCESS
6.1 The Website displays Goods which are advertised for sale and gives information about them. By advertising Goods on the Website, We are inviting You to place an Order with Us. If You place an Order, We are not obliged to accept that Order and the Contract between Us will only be formed if and when We accept Your Order. Neither submitting an electronic order form, nor completing the checkout process constitutes Our acceptance of Your Order. Our acceptance of Your Order and the completion of the Contract between You and Us will take place upon despatch to you of the Goods. You may include any number of items within a single Order, subject to any restrictions set out in these Terms or on the Website and each Order which You place will be a separate Contract between Us. We reserve the right to refuse to supply Goods to any person.
6.2 Any variation of the Contract must be expressly agreed between You and Us.
6.3 The following paragraphs explain the process which You will need to go through to place an Order and how the Contract for the sale of Goods between us will be formed. This section also explains important information about payment and delivery.
Step 1 – Choosing your Goods
You can select a product for purchase by clicking on the item which You are interested in and then clicking on “Add to Basket”.
Step 2 –Reviewing Your Basket
You can review the products which You have added to Your basket. You can change the contents of Your basket by amending the quantity of Goods You want to order (which may be subject to a maximum number of items, per size from time to time), removing any unwanted items by clicking ‘Remove’ and viewing the basket total value. You can also enter any promotional code which You may have. Entering a valid promotional code and clicking ‘Redeem’ will update the basket total. You can then continue shopping and adding to Your basket if You wish or if You don’t want to buy anything else, go straight to the next step.
Step 3 – Going to Checkout
Once You have finished shopping, You can proceed to Checkout by clicking on “Continue” or by hovering over the basket icon in the top right hand corner of the page and then clicking “Checkout”.
Step 4 – Customer registration
You will then be asked whether You are a guest or an existing customer. To register as a guest customer You will be asked to provide Your e-mail address. We will then store that information for the purposes of processing Your Order but it will not be recognised next time You visit the Website. Existing customers will be asked for a password and e-mail address to login, each time an Order is placed. Alternatively, you have the option to pay with PayPal at this stage by clicking on the PayPal link.
Step 5 – Completing Your Address and Delivery Details
If You are a guest Customer, You will be given a list of delivery options. Once You have chosen Your option, You will be asked to enter Your delivery address or a town or postcode to find your nearest collection point. If You are an existing Customer, You will be shown a list of any delivery addresses You have previously entered. You will have the option of selecting the same address for Your billing address. Alternatively, on the next screen, You can enter a different billing address. You must provide us with the correct address details. We will not be liable for any delay to or failure of delivery as a result of Your failure to provide accurate address details.
Step 6 – Your Order Summary and Payment Information
You will then need to choose Your payment method and enter Your payment details. Please check this information very carefully. You will then be given the option to save such details for Your next visit. If You are an existing customer and you have previously saved Your payment details, they will appear here. Your Order summary page will then appear in the right hand corner. This includes details of the Goods in Your Order. You should check the details at this stage very carefully as this is the final stage in the Order process at which You can correct any mistakes or change the Goods which You want to Order. You can do this by returning to the home page and completing the process set out above again. If You are happy with Your Order, click “Place Order & Pay”.
Step 7 – Placing Your Order
By clicking on “Place Order & Pay”, You are confirming that You have read, understood and accepted these Terms. At this point Your Order will be submitted to Us.
Step 8 – Order Acknowledgement
Once We have received confirmation that Your payment has been authorised, a screen will appear, thanking You for Your Order. You will be given an Order reference and an e-mail will be sent to You to acknowledge Your Order. It will confirm the Goods, price and any delivery charge. Print a copy of the Order acknowledgment and e-mail and keep them for Your records. Please note, Our acceptance of Your Order (regardless of the content of any emails we send you) will only take place on despatch of Your Order.
6.4 We may refuse Your Order or cancel Your Order if we decide it is reasonable to do so which may include circumstances where:
6.4.1 We are unable to obtain authorised payment or the payment process is incomplete; or
6.4.2 We identify a product or pricing error on the Website; or
6.4.3 You fail to meet any criteria for eligibility of purchase which We may impose from time to time; or
6.4.4 We suspect that Your Order is related to fraudulent activity; or
6.4.5 You fail to submit all necessary and relevant details to allow Us to fulfil the Order; or
6.4.6 Goods are unavailable or out of stock.
6.5 We may contact You by telephone or email to verify details before We are able to process and despatch Your Order or We may be unable to accept it. For example, We may do this if Your Order is of particularly high value.
6.6 The Goods shown for sale on this Website are intended for private, consumer use and You must not resell Goods or offer them as a commercial enterprise. We reserve the right to limit the total value of Goods which can be included in an Order. If the total value of Goods in Your bag exceeds the limit which We may choose from time to time, then We will contact You.
The information contained in this message or any of its attachments is confidential and may be privileged. Unauthorised disclosure, copying or dissemination of the contents is strictly prohibited. The views expressed may not be official policy, but the personal views of the originator. If you are not the intended recipient or have received this message in error, please delete this e-mail and advise the sender by using the reply facility in your e-mail software. All messages sent and received by are monitored for viruses, high-risk file extensions, and inappropriate content.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.
|220.127.116.11||gateway11.unifiedlayer.com||Provo||Utah||US||AS46606 Unified Layer|
|18.104.22.168||cm.websitewelcome.com||Houston||Texas||US||AS20013 CyrusOne LLC|
|22.214.171.124||lagertha.asoshared.com||Durham||North Carolina||US||AS36024 TierPoint, LLC|
|126.96.36.199||Seoul||Seoul||KR||AS4766 Korea Telecom|
Received: from gateway11.unifiedlayer.com ([188.8.131.52]:57289)
by My Email Server with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
for firstname.lastname@example.org; Sat, 30 Jun 2018 07:46:45 +0100
Received: from cm1.websitewelcome.com (unknown [184.108.40.206])
by gateway11.unifiedlayer.com (Postfix) with ESMTP id 14670200DE25A
for <email@example.com>; Sat, 30 Jun 2018 01:46:43 -0500 (CDT)
Received: from lagertha.asoshared.com ([220.127.116.11])
by cmsmtp with ESMTP
id Z9ecfggOqw5iTZ9ecfoUYW; Sat, 30 Jun 2018 01:46:43 -0500
Received: from [18.104.22.168] (port=4935 helo=201-187-172-163.rev.cloud.scaleway.com)
by lagertha.asoshared.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
for firstname.lastname@example.org; Sat, 30 Jun 2018 02:46:42 -0400
Subject: none, Important notice about your package DSAF598011
Content-Type: multipart/alternative; boundary=”58cacf7bd35bcda300eae2a0103b”
To: To: “none” <email@example.com>
Date: Sat, 30 Jun 2018 08:46:22 +0200 (UTC)
X-Destination-ID: MIME::Lite 3.603 (R5.89; X4.65; H8.69; C1.96; N3.37)
Require-Recipient-Valid-Since: firstname.lastname@example.org; Sat, 30 Jun 2018 08:46:22 +0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – lagertha.asoshared.com
X-AntiAbuse: Original Domain – victimsdomain.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12] X-AntiAbuse: Sender Address Domain – ellietaylor.com
X-Source-Sender: (201-187-172-163.rev.cloud.scaleway.com) [22.214.171.124]:4935
These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.
If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.