Arsh Arora and Max Gannon, malware researchers in our lab at the University of Alabama at Birmingham (UAB) continue their on-going analysis of the Kelihos botnet. We call this a “longitudinal malware study.” Today Arsh returns with some interesting observations about the Kelihos botnet as it sends out Amazon Gift Card.
Arsh take it from here.
Amazon Gift Card from Kelihos botnet! Anyone up for a Nymaim banking trojan or CryptoLocker?
Here it is, the Kelihos botnet back with a bang. Today, Kelihos is in a festive mood and giving away a free “Amazon Gift Card”, especially for US customers. Instead of ALL American spam recipients receiving the malware, however, only those whose email ends in the country code “.us” received this malware. As you can see in the sample list below, this means that many school employees will have received this spam, as K-12 schools very commonly use .us domain names.
This is the first time it has geo-targeted US customers, unlike previous occasions where it had targeted Canadian [Canada] , German and UK, [German and UK] and Dutch [Dutch] customers. The delivery mechanism is the same in which the botnet delivers emails containing suspicious links to a Microsoft Word document that will download a Nullsoft installer and eventually affect you with Nymaim/CryptoLocker.
Now, we can surely say that the operators of Kelihos botnet are formulating a strategy in choosing their targets for the spam campaign. Basically, they are trying to gain back the attention of the industry and trying to proclaim its spot of the longest surviving spamming botnet. Recently, the botnet size increased tremendously and has been a hot topic among the cyber industry.
|Geo Targeted emails to US based victims|
The most common email subjects we observed being used in the spam campaign are:
Subject: Amazon Gift Team just wants to make a present for you
Subject: Awesome news! You recieved a gift from Amazon!
Subject: Don’t wait, get free voucher! Amazon Promo chosen you!
Subject: Gift from Amazon was just recieved, redeem yours now
The URLs sent in the email are presented below with its corresponding resolved IP address, via WHOIS search
hxxp://amazon.com.yougifted[.]pw/Amazon%20Gift%20Code[dot]doc – 104[.]168[.]181[.]99; Oklahoma
hxxp://amazon.com.youwelcomes[.]pw/Amazon%20Gift%20Code[dot]doc – 104[.]168[.]181[.]99
hxxp://amazon.com.cheappromo[.]pw/Amazon%20Gift%20Code[dot]doc – 149[.]202[.]194[.]178; Nord-pas-de-calais
hxxp://amazon.com.getforless[.]pw/Amazon%20Gift%20Code[dot]doc – 149[.]202[.]194[.]178
hxxp://amazon.com.giftcardservice[.]pw/Amazon%20Gift%20Code[dot]doc – 198[.]105[.]215[.]36; Utah
Registrant Organization: Private Person
Registrant Street: 22 Bakinskih komissarov 2k1, 51
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 119571
Registrant Country: RU
Registrant Phone: +7.9681673922
Registrant Email: firstname.lastname@example.org
|Document opened in Protected view with a URL link|
After downloading the Word document and viewing its content, it shows the above message. Interestingly, it contains a URL that is meant to excite the victim. So in order to receive this “amazing” offer, the user first has to press the “Enable Editing” button.
|Enable Content AKA Encrypt Me!|
After clicking the ‘Enable Editing’ button, another window asks to ‘Enable Macros’, aka “ENCRYPT ME” button. The gift card is still unavailable and can be only be retrieved after clicking the URL in the email.
|Congratulating the user!|
This behavior has been seen for the first time where the user is asked to click a URL. While the user is occupied trying to find his/her gift code, the ransomware is performing its task in the background. By the time the user realizes a scam is underway, the machine is already encrypted. Threat actors have perfectly social engineered user behavior in order to succeed in causing damage to the user.
|Too late to say Sorry!|
|VT results 10/57, CryptoLocker|
|#Nymaim in the comments section|
As of now, my colleague Max Gannon, Malware Analyst at UAB, notes that these samples are extraordinarly VM-aware. It performs the usual registry check for references to Virtualization Software, but it also checks the display adapters and color settings which are harder to disguise and less frequently modified by malware analysts. It checks the local machine language as well as the keyboard layout which is again not frequently changed. It checks the clipboard contents and if the clipboard is linked to a Virtual Machine. Lastly it checks the system for a pre-defined set of programs that it considers indicative of a normal system. This is a significant increase in the number of checks when compared to similar malware families and may require additional focus and analysis time.
This is a Security Bloggers Network syndicated blog post authored by Gary Warner, UAB / PhishMe. Read the original post at: CyberCrime & Doing Time