Share:

For a long time, attackers have used .zip files in order to carry their bad stuff to organizations. Typically attackers include the malware in an .exe or screensaver file in the .zip , but we’ve noticed attackers trying to tell a different story in a recent wave of attacks.  Here’s a screenshot of one of the emails:

FIgure 1 -- Phishing email

Figure 1 — Phishing email

Once opened, the user is prompted to download a .zip file. We can see this in the iframe of the html file inside, as well as the .zip file that is downloaded.

Figure 2 -- HTML file with iframe downloading .zip file

Figure 2 — HTML file with iframe downloading .zip file

There are a few things to note here. In the original email, we were given the ID of 185 which gives us a possible 184 other recipients, not including others which may be higher. Testing ID 183 shows that there are other links to .zip files.

Figure 3 -- Identification of id=183 .zip file

Figure 3 — Identification of id=183 .zip file

With python and a little wget, we can generate 2,000 links or so to see if there are other variants, since these seem to be hosted on Google Drive.

Figure 4 -- printing of files

Figure 4 — Printing of files to grab

Looking at the file sizes, we can confirm that there are some differences and possibly different data. (Figure 5.)

Figure 5 -- difference in file sizes

Figure 5 — Difference in file sizes

By looking at the one which has a different file size, we can see that there is a link to Google drive.

Figure 6 google drive link

Figure 6 — Google Drive link

By looking at the contents and grepping the contents for drive.google.com, we can see that there are in fact other files present. There are a few duplicates, so we’ll have to clean them up.

Figure 7 -- Google drive links

Figure 7 — Google Drive links

By using a little command-line kungfu, we can get down to the 10 links the attackers are trying to send.

Figure 8 -- google drive links

Figure 8 — Google Drive links

By downloading the 10 files, one would hope the attackers would make it difficult to analyze all 10 samples… but alas, it’s just the same file uploaded 10 times.

Figure 9 -- Attackers Fail

Attacker fail. VirusTotal link: https://www.virustotal.com/en/file/97682ee33164634655c21d87bd69f28532b345fcc885d5bd40a27da9b31df294/analysis/

Once the malware is executed, we are presented with a familiar screen…CryptoWall 3.0!

Figure 10 -- CryptoWall

Figure 10 — CryptoWall 3.0

We’ve analyzed CryptoWall before and this variant shows nothing has really changed. For finding this in your network, one of the first requests is for mpc4u.co[d]uk, which appears to be a compromised domain.

Figure 11 -- domain

Figure 11 — First beacon for domains

Next, the following domains should be search at the TLD:

http://6i3cb6owitcouepv.paybalanceto[d]com/15dks5

http://6i3cb6owitcouepv.paybrakepoint[d]com/15dks5

http://6i3cb6owitcouepv.paytostopigil[d]com/15dks5

http://6i3cb6owitcouepv.paytodoublemoney[d]com/15dks5

By using passive DNS built into VirusTotal, we’re able to look at the IP address to see what other things have resolved to the IP address of 95.163.121.228.

Figure 12 -- More bad domains

Figure 12 — More bad domains

And as with most AV hits, we’re seeing a very low (6/55) detection rate.

Figure 13 -- Low Detection Rate

Figure 13 — Low Detection Rate

While attackers are trying to get smarter, they are still trying to tell the same story to convince someone to click on an attachment. By using an html in a .zip file, this gives the attackers one more way to land in users’ inboxes, enticing them to click.