0 Results Found
            Back To Results
              Threat Analysis

              Spam Campaign Delivers Liftoh Downloader

              • Author: Eric Kumar, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence
              • Date: 10 December 2013

              Overview

              Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers analyzed an ongoing spam campaign that uses the "UPS delivery notification tracking number" lure to infect unsuspecting users. While UPS-related spam emails are common, this particular campaign has been observed since October 2013 and uses exploit-laden documents to deliver its payload. The initial delivered payload is the Liftoh downloader trojan, which in turn downloads additional malware as a secondary payload onto the victim's system.

              Analysis

              Figure 1 shows the spam email containing a link to a malicious "Rich Text Format" (RTF) file. The malicious RTF is attached to the email, disguised as a .doc file.


              Figure 1. Spam email containing link and attachments for malicious RTF file. (Source: Dell SecureWorks)

              Figure 2 shows an example header from the spam email with spoofed sender information.


              Figure 2. Email header with spoofed sender information. (Source: Dell SecureWorks)

              The spoofed sender is <auto-notify @ ups . com> or <auto @ ups . com>, but the headers reveal some of the actual senders (see Table 1). Some of the hosts listed in Table 1 may have appeared in DNS blacklisting lists such as SpamhausDBL, PSBL, SURBL, and SORBS, and some hosts are offline as of this publication. These hosts might have been compromised and used for SMTP relays, or could be part of a “use-and-throw” attacker-owned spam infrastructure.

              Domain name IP address ASN ISP Location
              mail . enviosuperfast . info 184.82.214.54 AS21788 Network Operations
              Center
              Scranton,
              Pennsylvania,
              United States
              mail1 . sinalturbo . com . br 189.85.19.140 AS11835 Ipe Informatica Ltda Matinhos, Parana,
              Brazil
              mail1 . ideasinnovation . info 46.165.219.112 AS16265 LeaseWeb B.V. Germany
              mail1 . studioinfinity . info 46.165.219.89 AS16265 LeaseWeb B.V. Germany
              mail1 . infosoftwebmarketing . net 177.10.190.154 AS52929 Elias Peixoto Nacle
              Estefan - ALBERGUE
              IDC
              Brazil
              mail2 . infosoftwebmarketing . net 177.10.190.155 AS52929 Elias Peixoto Nacle
              Estefan - ALBERGUE
              IDC
              Brazil
              mail2 . topbrasil100 . net 177.10.190.3 AS52929 Elias Peixoto Nacle
              Estefan - ALBERGUE
              IDC
              Brazil
              mail1 . sarl-bjt . fr 88.173.220.169 AS12322 Free SAS Paris, Ile-de-
              France, France
              dns . sarl-bjt . fr 78.229.183.241 AS12322 Free SAS Paris, Ile-de-
              France, France
              mail . planete . sn 188.165.255.149 AS16276 OVH Systems France
              mail . alphamix . info 177.137.18.72 AS28271 DataCorpore Servi Brazil
              t5 . com . br 201.33.22.202 AS28271 DataCorpore Servi Brazil
              sender . siscontroller360 . net . br 192.241.183.204 AS62567 Digital Ocean, Inc. New York, New
              York, United States
              mail11 . superlojas . biz 192.157.233.99 AS18978 Enzu Inc Henderson,
              Nevada, United
              States
              ip1 . www . 653 . webpainel . org 198.24.186.122 AS19437 Secured Servers LLC Tempe, Arizona,
              United States
                192.123.32.83 Unknown Kraft Foods Group Winnetka, Illinois,
              United States

              Table 1. Senders of spam email.

              CTU researchers observed the following domains in spam recipient email addresses:

              • gicom . nl
              • mvdloo . nl
              • cneweb . de
              • yahoo . fr
              • helimail . de
              • online . fr
              • tq3 . co. uk
              • excel . co. jp
              • smegroup . co . uk
              • fujielectric . co . jp
              • st-pauls . hereford . sch . uk

              The RTF file contains exploits for patched vulnerabilities CVE-2012-0158 (MSCOMCTL.OCX RCE vulnerability) and CVE-2010-3333 (RTF stack buffer overflow vulnerability). Opening the RTF file drops and launches an empty document file in the user's %TEMP% folder with filename "cv.doc". Successful execution of the exploit code drops the Liftoh downloader malware onto the victim's system. This malware was observed spreading via Skype and other instant messenger applications in May 2013. Liftoh also downloaded the Phopifas worm as a secondary payload.

              Liftoh is initially dropped into and executed from the user's %TEMP% folder with filenames such as "CD.tmp" or "Winword.exe". The legitimate "Winword.exe" file belongs to the Microsoft Office Word application and resides in the Program Files directory. The malware then copies itself to the %CommonAppData% and %AppData% folders with a random filename such as "afdaafdebcfsacfsfdsf.exe".

              The path name and file location are determined by the following environment variables:

              • %Temp% refers to the user's Temp folder and by default is "C:\Documents and Settings\<Current User>\Local Settings\Temp" for Windows 2000/XP and "C:\Users\<Current User>\AppData\Local\Temp" for Windows Vista, Windows 7, and Windows 8.
              • %CommonAppData% refers to the Application Data folder for the All Users Profile. By default, the location of this folder is "C:\Documents and Settings\All Users\Application Data" for Windows 2000/XP and "C:\ProgramData\" for Windows Vista, Windows 7, and Windows 8.
              • %AppData% refers to the current user's Application Data folder. By default, the location of this folder is "C:\Documents and Settings\<Current User>\Application Data" for Windows 2000/XP and "C:\Users\<Current User>\AppData\Roaming" for Windows Vista, Windows 7, and Windows 8.

              Liftoh injects malicious code into a legitimate system process such as "explorer.exe" and then adds its path to the system's Run registry key to maintain persistence. The Run registry key is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

              The Liftoh downloader initially sends information about the infected system, including the GUID, to its command and control (C2) server. The communication is encrypted with the C2 hostname, in a process similar to that used by the Shylock trojan. The C2 server uses the infected system's GUID to encrypt commands and malware payloads.

              Figure 3 shows initial network communication (HTTP POST request) observed from an infected system by the most recent variant of Liftoh downloader as of this publication. The text highlighted in purple is the POST request, and the text highlighted in red is the host or C2 domain.


              Figure 3. Initial network activity associated with the most recent variant of Liftoh downloader. (Source: Dell SecureWorks)

              Figure 4 shows initial network communication (HTTP POST request) observed from an infected system by a previous variant of Liftoh downloader that was observed in May 2013. The text highlighted in purple is the POST request, and the text highlighted in red is the host or C2 domain.


              Figure 4. Initial network activity associated with a previous variant of Liftoh downloader. (Source: Dell SecureWorks)

              Liftoh downloads and executes additional malware from hard-coded URLs. CTU researchers have observed Liftoh downloading Bitcoin miner and a variant of Zeus/Zbot (version 2.1.1.2). In the past, Phopifas worm was downloaded as a secondary payload from the Hotfile file sharing website. Figure 5 shows a sample of network activity (HTTP GET request) for a previous variant of the Liftoh downloader downloading the secondary payload. The text highlighted in purple shows the GET request, and the text highlighted in red shows the host or C2 domain.


              Figure 5. Secondary payload (Phopifas worm) download network activity. (Source: Dell SecureWorks)

              Figure 6 shows where the threat actor embedded distinguishing strings within the data section of one of the malware's binary payloads (MD5: e2ee9453132f90c2e9b8a0bccb2f605d).


              Figure 6. Additional strings embedded by the threat actor within the data section of the malware's binary payload. (Source: Dell SecureWorks)

              Telemetry

              Telemetry from Dell SecureWorks event monitoring shows organizations in the following market verticals have been affected by Liftoh:

              • Banking
              • Manufacturing
              • Healthcare
              • Legal
              • Credit unions
              • Retail
              • Technology providers

              Figure 7 shows a timeline of the Liftoh downloader activity based on Dell SecureWorks telemetry. The majority of events were for the most recent variant of the Liftoh downloader beginning in November 2013.


              Figure 7. Timeline of activity associated with Dell SecureWorks iSensor countermeasures for the Liftoh downloader between October 22 and November 8, 2013. (Source: Dell SecureWorks)

              Conclusion

              The threat actors seem to be delivering Liftoh downloader via different mechanisms. In May 2013, the threat actors used spammed links to Skype users and other instant messenger applications. In October 2013, a spam email campaign used exploit-laden RTF documents. It is very likely that the threat actors will switch to other delivery mechanisms in the future that use social engineering techniques to maximize infection yields. It is also likely that the threat actors may leverage the Liftoh downloader to deliver a variety of other malware as secondary payloads.

              Dell SecureWorks recommends that organizations protect themselves against malicious campaigns by deploying a defense-in-depth strategy that includes the following components:

              • Ensure that your Microsoft Office applications are current and up to date with security updates.
              • Ensure that your browser application software is up to date with all available security updates to prevent exploitation of known browser vulnerabilities that deliver "drive-by" downloads.
              • Ensure that your version of the Windows operating system has all available security updates.
              • Schedule and maintain routine patching cycles, especially on servers that host public services and are accessible through the firewall, such as HTTP, FTP, email, and DNS services.
              • Leverage features in Microsoft Office applications to improve overall security, such as disabling ActiveX, disabling macros, and blocking external content.
              • Install and tune spam filters on your email server to block suspicious and malicious email content. For example, flag or block email containing file attachments that are commonly used to spread threats, such as .exe, .pif, .scr, .vbs, .hlp, and .bat files. Deploy advanced malware protection devices inline with incoming email streams containing malicious file attachments as well as subsequent file downloads.
              • Ensure that appropriate policies are in place to restrict programs and users of a computer to only use the lowest level of privileges necessary to complete a task. Users should not operate with Administrative privileges.
              • Disable AutoPlay on network and removable drives to prevent the automatic launching of executable files.
              • Apply post-infection controls such as firewall policies, web proxies, file downloads over HTTPS, and associated log monitoring to identify anomalies. If an infection is detected, immediately isolate compromised computers to prevent threats from spreading. If needed, perform a forensic analysis on the infected system to identify the attack vector and identify potential data exfiltration. CTU researchers highly recommend restoring infected systems to a clean state using trusted media.
              • Train users not to click links or open attachments in unexpected emails. Also, train users not to execute software that has been downloaded from the Internet until it has been scanned for malware with an antivirus application.

              Threat indicators

              The threat indicators in Table 2 can be used to detect activity related to this campaign. The domains and IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.

              Indicator Type Context
              feed404.dnsquerys.org Domain name C2 and data exfiltration server
              Resolves to 158.255.2.60
              HTTP POST request for
              /feed404/myfeeds.php
              feed404.dnsquerys.com Domain name C2 and data exfiltration server
              Resolves to 158.255.2.60
              HTTP POST request for
              /feed404/myfeeds.php
              feeds.nsupdatedns.com Domain name C2 and data exfiltration server
              Resolves to 158.255.2.60
              HTTP POST request for
              /feed404/myfeeds.php
              feeds404.dnsmicrosf.com Domain name C2 and data exfiltration server
              Resolves to 158.255.2.60
              HTTP POST request for
              /feed404/myfeeds.php
              404.mysyncdns.com Domain name C2 and data exfiltration server
              Resolved to 146.0.79.146 on
              October 21, 2013 Resolved to 118.67.250.91 on

              October 22, 2013
              HTTP POST request for
              /feed404/feed.php
              404.dnsmicrosf.com Domain name C2 and data exfiltration server
              HTTP POST request for
              /feed404/feed.php
              feed.queryzdnsz.org Domain name C2 and data exfiltration server
              Resolved to 118.67.250.91
              HTTP POST request for
              /feedswebz/feed/mysfeedys.php
              HTTP GET request for
              /feedswebz/html/ServerBWS.exe
              r.gigaionjumbie.biz Domain name C2 and data exfiltration server
              Resolved to 5.199.171.131 in May 2013
              Resolved to 5.199.171.132 in May 2013
              Resolved to 5.199.171.133 in May 2013
              HTTP POST request for /images/gx.php
              x.dailyradio.su Domain name C2 and data exfiltration server
              Resolved to 5.199.171.131 in May 2013
              Resolved to 5.199.171.132 in May 2013
              Resolved to 5.199.171.133 in May 2013
              HTTP POST request for /images/gx.php
              customers.invoice-appmy.org Domain name Hosts download for malicious RTF
              document Resolves to 118.67.250.91
              HTTP GET request for
              /IaPk7PC5bZ/PYTWNBZBEF.php
              HTTP GET request for
              /IaPk7PC5bZ/customer.php
              customer.invoice-appmy.com Domain name Hosts download for malicious RTF
              document
              Resolves to 118.67.250.91
              HTTP GET request for
              /IaPk7PC5bZ/PYTWNBZBEF.php
              HTTP GET request for
              /IaPk7PC5bZ/customer.php
              customer.appmys-ups.org Domain name Hosts download for malicious RTF
              document
              Resolves to 118.67.250.91
              HTTP GET request for
              /B4VByTbwk4/PYTWNBZBEF.php
              HTTP GET request for
              /B4VByTbwk4/customer.php
              customer.appmys-ups.com Domain name Hosts download for malicious RTF
              document
              Resolves to 118.67.250.91
              HTTP GET request for
              /B4VByTbwk4/PYTWNBZBEF.php
              HTTP GET request for
              /B4VByTbwk4/customer.php
              static.invoice-appmy.com Domain name Hosts download for malicious RTF
              document
              Resolves to 118.67.250.91
              HTTP GET request for
              /Om7T4PaFJ9/PYTWNBZBEF.php
              HTTP GET request for
              /Om7T4PaFJ9/customer.php
              luxlibertins.com Domain name Hosts download of malicious RTF
              document
              Resolves to 213.186.33.87
              HTTP GET request for /statement.doc
              158.255.2.60 IP address Associated IP address of C2 and data
              exfiltration server
              ASN: AS49335 Navitel Rusconnect Ltd
              ISP: Mir Telematiki Ltd
              Country: Russian Federation
              146.0.79.146 IP address Associated IP address of C2 and data
              exfiltration server
              ASN: 57043; HOSTKEY-AS HOSTKEY B.V.
              Country: Netherlands
              118.67.250.91 IP address Associated IP address of C2 and data
              exfiltration server
              ASN: AS17447; NET4-IN Net4India Ltd
              Country: India
              5.199.171.131 IP address Associated IP address of C2 and data
              exfiltration server
              ASN: AS16125; UAB Duomenu Centras
              Country: Cyprus / Lithuania
              5.199.171.132 IP address Associated IP address of C2 and data
              exfiltration server
              ASN: AS16125; UAB Duomenu Centras
              Country: Cyprus / Lithuania
              5.199.171.133 IP address Associated IP address of C2 and data
              exfiltration server
              ASN: AS16125; UAB Duomenu Centras
              Country: Cyprus / Lithuania
              ad0ef249b1524f4293e6c76a9d2ac10d MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              e335af83d768498505957df217a1c46c1a0ee6cbdf
              884d7a11166831dbd5e825
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              7500198c94051785a68addc5f264a10f MD5 hash Malicious document containing exploit for CVE-2012-0158
              71e8c525d8399c2285dc2c06b09a6779078c782f
              52682000c2633f4ffc6773fa
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              ae83982f1ac50b4b08d7e509bc9cfc45 MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              072b71c0ec67ff541b1fda21c4df5cc74ea3ef32254
              6916214860529a9a2254a
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              8244c515873ecc466ebf3be970477c04 MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              53c45ce4b80ade517afc6b2969d054063893418d
              ab41f5832df3a41b625f1e64
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              625eb0ba883eece4edb7b09602d7da78 MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              7ae68e2ea93115a786e902ab98f104e22ef38d9f91
              36d6155e45653bd1ed4e6b
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              a0b05cf03031edcdd4e4dd1e8f786255 MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              2c06345b8ad01ea872cee37c71deab1aada22836e
              9f2788919480264ef9dc218
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              b20d0254faedc6608d640290aeb20b4a MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              6c654921074a82ff6f4a6309b5dfa94587efcb81cd
              3d8559eac3488102f51d0a
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              153a5282bcee2b9a3d0a13da13b79718 MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              5538bf5442e76ff47f2713f0d82064083262193c5c
              de660dbcbce7e873dd8532
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              7c2fd4abfe8640f8db0d18dbecaf8bb4 MD5 hash Malicious document containing exploit
              for CVE-2012-0158
              ccf7fed174dc9864c810d1c53b1ba7dfedede41cc9
              fd2ec82d85ec865ca67db8
              SHA256 hash Malicious document containing exploit
              for CVE-2012-0158
              62e25cc76291a3f348324172ff306ba0 MD5 hash Malicious binary (Liftoh downloader)
              83f4b9560085c1f8eee3c43235c74c9152289ffe8c
              ae141f80f1fba9e26d8281
              SHA256 hash Malicious binary (Liftoh downloader)
              a4746ecbb7dc5a9856a15ba80cc2cc3d MD5 hash Malicious binary (Liftoh downloader)
              8a4a8ffad419e2a39a20b2c491f59d54b9ba014dcf
              7671552bd34fec90649300
              SHA256 hash Malicious binary (Liftoh downloader)
              d8362a96f0f2920a82d8f41ec342a679 MD5 hash Malicious binary (Liftoh downloader)
              43bdb0fa301d758c0b72b69258fc09a1d9cec57c6
              dcd032bea915705de0e13d3
              SHA256 hash Malicious binary (Liftoh downloader)
              61b384950ca6586b35898b2223d36f37 MD5 hash Malicious binary (Bitcoin miner (BitWall),
              secondary payload)
              dfbd4ce72503b9558a4ba872c0d5d6ffa62727f5d7
              74284c17b8a15c8f5e807c
              SHA256 hash Malicious binary (Bitcoin miner (BitWall),
              secondary payload)
              18a429ffa3441df8edb200f92806f720 MD5 hash Malicious binary (Phopifas worm
              (Dorkbot, Skypii), secondary payload)
              d4ca04308caf0e2496b008376d3b124e73a463ed
              27e4defe0d5c46664b08c79a
              SHA256 hash Malicious binary (Phopifas worm
              (Dorkbot, Skypii), secondary payload)
              e2ee9453132f90c2e9b8a0bccb2f605d MD5 hash Malicious binary (Zeus/Zbot variant,
              secondary payload)
              b4e57e2ac90a7758c09f0a975f3382673ddcdcec1
              b39e68eef8dac17158c0136
              SHA256 hash Malicious binary (Zeus/Zbot variant,
              secondary payload)
              f6b201fb248a0fcd31b0488449776a9f MD5 hash Malicious binary (Zeus/Zbot variant,
              secondary payload)
              aae885295762461c4aabe1fc826b0dcc93762b9c
              96ef4c93122751c321261028
              SHA256 hash Malicious binary (Zeus/Zbot variant,
              secondary payload)
              e5e1ee559dcad00b6f3da78c68249120 MD5 hash Malicious binary (Zeus/Zbot variant,
              secondary payload)
              889589844d0f6a79dfff7de99e165d7ba796b26c9f
              d4c8e059db36d509d6b549
              SHA256 hash Malicious binary (Zeus/Zbot variant,
              secondary payload)
              015e60d0ddff09d7df66d926d3793cc8 MD5 hash Malicious self-extracting RAR archive
              executable
              2695e33e671c4eee1e55ad534d9b33445a56b8ffe
              ff50b7c63fa12f266de1088
              SHA256 hash Malicious self-extracting RAR archive
              executable
              718532b47f2ae3006df2268ba3d1f5b9 MD5 hash Malicious self-extracting RAR archive
              executable
              e65e8ba751fa23414c045bad5333af3f7cfe453599
              bea7cdd15403c36a132fd6
              SHA256 hash Malicious self-extracting RAR archive
              executable
              invoiceBQW8OYJDDGXIPN8H63.doc Filename Malicious RTF file containing exploit
              invoiceAAILWKQFKA3IMK6BGW.doc Filename Malicious RTF file containing exploit
              invoiceU6GCMXGLL2O0N7QYDZ.doc Filename Malicious RTF file containing exploit
              invoiceCM0V9ORWJF23KX8PAP.PDF.exe Filename Malicious self-extracting RAR archive
              executable
              fotos_facebook-20052013-png.exe Filename Malicious binary
              adcbfbcebcfsacfsfdsf.exe Filename Malicious binary
              afdaafdebcfsacfsfdsf.exe Filename Malicious binary
              cabcbfdbeffbfcsacfsfdsf.exe Filename Malicious binary
              ccbaddaabdfsacfsfdsf.exe Filename Malicious binary
              dbcdfbfbbebsacfsfdsf.exe Filename Malicious binary
              dfbbffbabeadfbsacfsfdsf.exe Filename Malicious binary
              fbaaddacacsacfsfdsf.exe Filename Malicious binary
              -1_cc_fabbc6a1-c573-4ea0-9ca1-
              50004b35a440sacfsfdsf
              Mutex Runtime Mutex created by malware
              -3__fabbc6a1-c573-4ea0-9ca1-
              50004b35a440sacfsfdsf
              Mutex Runtime Mutex created by malware

              Table 2. Indicators related to Liftoh downloader spam campaign.

              Related Content