Overview
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers analyzed an ongoing spam campaign that uses the "UPS delivery notification tracking number" lure to infect unsuspecting users. While UPS-related spam emails are common, this particular campaign has been observed since October 2013 and uses exploit-laden documents to deliver its payload. The initial delivered payload is the Liftoh downloader trojan, which in turn downloads additional malware as a secondary payload onto the victim's system.
Analysis
Figure 1 shows the spam email containing a link to a malicious "Rich Text Format" (RTF) file. The malicious RTF is attached to the email, disguised as a .doc file.
Figure 1. Spam email containing link and attachments for malicious RTF file. (Source: Dell SecureWorks)
Figure 2 shows an example header from the spam email with spoofed sender information.
Figure 2. Email header with spoofed sender information. (Source: Dell SecureWorks)
The spoofed sender is <auto-notify @ ups . com> or <auto @ ups . com>, but the headers reveal some of the actual senders (see Table 1). Some of the hosts listed in Table 1 may have appeared in DNS blacklisting lists such as SpamhausDBL, PSBL, SURBL, and SORBS, and some hosts are offline as of this publication. These hosts might have been compromised and used for SMTP relays, or could be part of a “use-and-throw” attacker-owned spam infrastructure.
Domain name | IP address | ASN | ISP | Location |
mail . enviosuperfast . info | 184.82.214.54 | AS21788 | Network Operations Center |
Scranton, Pennsylvania, United States |
mail1 . sinalturbo . com . br | 189.85.19.140 | AS11835 | Ipe Informatica Ltda | Matinhos, Parana, Brazil |
mail1 . ideasinnovation . info | 46.165.219.112 | AS16265 | LeaseWeb B.V. | Germany |
mail1 . studioinfinity . info | 46.165.219.89 | AS16265 | LeaseWeb B.V. | Germany |
mail1 . infosoftwebmarketing . net | 177.10.190.154 | AS52929 | Elias Peixoto Nacle Estefan - ALBERGUE IDC |
Brazil |
mail2 . infosoftwebmarketing . net | 177.10.190.155 | AS52929 | Elias Peixoto Nacle Estefan - ALBERGUE IDC |
Brazil |
mail2 . topbrasil100 . net | 177.10.190.3 | AS52929 | Elias Peixoto Nacle Estefan - ALBERGUE IDC |
Brazil |
mail1 . sarl-bjt . fr | 88.173.220.169 | AS12322 | Free SAS | Paris, Ile-de- France, France |
dns . sarl-bjt . fr | 78.229.183.241 | AS12322 | Free SAS | Paris, Ile-de- France, France |
mail . planete . sn | 188.165.255.149 | AS16276 | OVH Systems | France |
mail . alphamix . info | 177.137.18.72 | AS28271 | DataCorpore Servi | Brazil |
t5 . com . br | 201.33.22.202 | AS28271 | DataCorpore Servi | Brazil |
sender . siscontroller360 . net . br | 192.241.183.204 | AS62567 | Digital Ocean, Inc. | New York, New York, United States |
mail11 . superlojas . biz | 192.157.233.99 | AS18978 | Enzu Inc | Henderson, Nevada, United States |
ip1 . www . 653 . webpainel . org | 198.24.186.122 | AS19437 | Secured Servers LLC | Tempe, Arizona, United States |
192.123.32.83 | Unknown | Kraft Foods Group | Winnetka, Illinois, United States |
Table 1. Senders of spam email.
CTU researchers observed the following domains in spam recipient email addresses:
- gicom . nl
- mvdloo . nl
- cneweb . de
- yahoo . fr
- helimail . de
- online . fr
- tq3 . co. uk
- excel . co. jp
- smegroup . co . uk
- fujielectric . co . jp
- st-pauls . hereford . sch . uk
The RTF file contains exploits for patched vulnerabilities CVE-2012-0158 (MSCOMCTL.OCX RCE vulnerability) and CVE-2010-3333 (RTF stack buffer overflow vulnerability). Opening the RTF file drops and launches an empty document file in the user's %TEMP% folder with filename "cv.doc". Successful execution of the exploit code drops the Liftoh downloader malware onto the victim's system. This malware was observed spreading via Skype and other instant messenger applications in May 2013. Liftoh also downloaded the Phopifas worm as a secondary payload.
Liftoh is initially dropped into and executed from the user's %TEMP% folder with filenames such as "CD.tmp" or "Winword.exe". The legitimate "Winword.exe" file belongs to the Microsoft Office Word application and resides in the Program Files directory. The malware then copies itself to the %CommonAppData% and %AppData% folders with a random filename such as "afdaafdebcfsacfsfdsf.exe".
The path name and file location are determined by the following environment variables:
- %Temp% refers to the user's Temp folder and by default is "C:\Documents and Settings\<Current User>\Local Settings\Temp" for Windows 2000/XP and "C:\Users\<Current User>\AppData\Local\Temp" for Windows Vista, Windows 7, and Windows 8.
- %CommonAppData% refers to the Application Data folder for the All Users Profile. By default, the location of this folder is "C:\Documents and Settings\All Users\Application Data" for Windows 2000/XP and "C:\ProgramData\" for Windows Vista, Windows 7, and Windows 8.
- %AppData% refers to the current user's Application Data folder. By default, the location of this folder is "C:\Documents and Settings\<Current User>\Application Data" for Windows 2000/XP and "C:\Users\<Current User>\AppData\Roaming" for Windows Vista, Windows 7, and Windows 8.
Liftoh injects malicious code into a legitimate system process such as "explorer.exe" and then adds its path to the system's Run registry key to maintain persistence. The Run registry key is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
The Liftoh downloader initially sends information about the infected system, including the GUID, to its command and control (C2) server. The communication is encrypted with the C2 hostname, in a process similar to that used by the Shylock trojan. The C2 server uses the infected system's GUID to encrypt commands and malware payloads.
Figure 3 shows initial network communication (HTTP POST request) observed from an infected system by the most recent variant of Liftoh downloader as of this publication. The text highlighted in purple is the POST request, and the text highlighted in red is the host or C2 domain.
Figure 3. Initial network activity associated with the most recent variant of Liftoh downloader. (Source: Dell SecureWorks)
Figure 4 shows initial network communication (HTTP POST request) observed from an infected system by a previous variant of Liftoh downloader that was observed in May 2013. The text highlighted in purple is the POST request, and the text highlighted in red is the host or C2 domain.
Figure 4. Initial network activity associated with a previous variant of Liftoh downloader. (Source: Dell SecureWorks)
Liftoh downloads and executes additional malware from hard-coded URLs. CTU researchers have observed Liftoh downloading Bitcoin miner and a variant of Zeus/Zbot (version 2.1.1.2). In the past, Phopifas worm was downloaded as a secondary payload from the Hotfile file sharing website. Figure 5 shows a sample of network activity (HTTP GET request) for a previous variant of the Liftoh downloader downloading the secondary payload. The text highlighted in purple shows the GET request, and the text highlighted in red shows the host or C2 domain.
Figure 5. Secondary payload (Phopifas worm) download network activity. (Source: Dell SecureWorks)
Figure 6 shows where the threat actor embedded distinguishing strings within the data section of one of the malware's binary payloads (MD5: e2ee9453132f90c2e9b8a0bccb2f605d).
Figure 6. Additional strings embedded by the threat actor within the data section of the malware's binary payload. (Source: Dell SecureWorks)
Telemetry
Telemetry from Dell SecureWorks event monitoring shows organizations in the following market verticals have been affected by Liftoh:
- Banking
- Manufacturing
- Healthcare
- Legal
- Credit unions
- Retail
- Technology providers
Figure 7 shows a timeline of the Liftoh downloader activity based on Dell SecureWorks telemetry. The majority of events were for the most recent variant of the Liftoh downloader beginning in November 2013.
Figure 7. Timeline of activity associated with Dell SecureWorks iSensor countermeasures for the Liftoh downloader between October 22 and November 8, 2013. (Source: Dell SecureWorks)
Conclusion
The threat actors seem to be delivering Liftoh downloader via different mechanisms. In May 2013, the threat actors used spammed links to Skype users and other instant messenger applications. In October 2013, a spam email campaign used exploit-laden RTF documents. It is very likely that the threat actors will switch to other delivery mechanisms in the future that use social engineering techniques to maximize infection yields. It is also likely that the threat actors may leverage the Liftoh downloader to deliver a variety of other malware as secondary payloads.
Dell SecureWorks recommends that organizations protect themselves against malicious campaigns by deploying a defense-in-depth strategy that includes the following components:
- Ensure that your Microsoft Office applications are current and up to date with security updates.
- Ensure that your browser application software is up to date with all available security updates to prevent exploitation of known browser vulnerabilities that deliver "drive-by" downloads.
- Ensure that your version of the Windows operating system has all available security updates.
- Schedule and maintain routine patching cycles, especially on servers that host public services and are accessible through the firewall, such as HTTP, FTP, email, and DNS services.
- Leverage features in Microsoft Office applications to improve overall security, such as disabling ActiveX, disabling macros, and blocking external content.
- Install and tune spam filters on your email server to block suspicious and malicious email content. For example, flag or block email containing file attachments that are commonly used to spread threats, such as .exe, .pif, .scr, .vbs, .hlp, and .bat files. Deploy advanced malware protection devices inline with incoming email streams containing malicious file attachments as well as subsequent file downloads.
- Ensure that appropriate policies are in place to restrict programs and users of a computer to only use the lowest level of privileges necessary to complete a task. Users should not operate with Administrative privileges.
- Disable AutoPlay on network and removable drives to prevent the automatic launching of executable files.
- Apply post-infection controls such as firewall policies, web proxies, file downloads over HTTPS, and associated log monitoring to identify anomalies. If an infection is detected, immediately isolate compromised computers to prevent threats from spreading. If needed, perform a forensic analysis on the infected system to identify the attack vector and identify potential data exfiltration. CTU researchers highly recommend restoring infected systems to a clean state using trusted media.
- Train users not to click links or open attachments in unexpected emails. Also, train users not to execute software that has been downloaded from the Internet until it has been scanned for malware with an antivirus application.
Threat indicators
The threat indicators in Table 2 can be used to detect activity related to this campaign. The domains and IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.
Indicator | Type | Context |
feed404.dnsquerys.org | Domain name | C2 and data exfiltration server Resolves to 158.255.2.60 HTTP POST request for /feed404/myfeeds.php |
feed404.dnsquerys.com | Domain name | C2 and data exfiltration server Resolves to 158.255.2.60 HTTP POST request for /feed404/myfeeds.php |
feeds.nsupdatedns.com | Domain name | C2 and data exfiltration server Resolves to 158.255.2.60 HTTP POST request for /feed404/myfeeds.php |
feeds404.dnsmicrosf.com | Domain name | C2 and data exfiltration server Resolves to 158.255.2.60 HTTP POST request for /feed404/myfeeds.php |
404.mysyncdns.com | Domain name | C2 and data exfiltration server Resolved to 146.0.79.146 on October 21, 2013 Resolved to 118.67.250.91 on October 22, 2013 HTTP POST request for /feed404/feed.php |
404.dnsmicrosf.com | Domain name | C2 and data exfiltration server HTTP POST request for /feed404/feed.php |
feed.queryzdnsz.org | Domain name | C2 and data exfiltration server Resolved to 118.67.250.91 HTTP POST request for /feedswebz/feed/mysfeedys.php HTTP GET request for /feedswebz/html/ServerBWS.exe |
r.gigaionjumbie.biz | Domain name | C2 and data exfiltration server Resolved to 5.199.171.131 in May 2013 Resolved to 5.199.171.132 in May 2013 Resolved to 5.199.171.133 in May 2013 HTTP POST request for /images/gx.php |
x.dailyradio.su | Domain name | C2 and data exfiltration server Resolved to 5.199.171.131 in May 2013 Resolved to 5.199.171.132 in May 2013 Resolved to 5.199.171.133 in May 2013 HTTP POST request for /images/gx.php |
customers.invoice-appmy.org | Domain name | Hosts download for malicious RTF document Resolves to 118.67.250.91 HTTP GET request for /IaPk7PC5bZ/PYTWNBZBEF.php HTTP GET request for /IaPk7PC5bZ/customer.php |
customer.invoice-appmy.com | Domain name | Hosts download for malicious RTF document Resolves to 118.67.250.91 HTTP GET request for /IaPk7PC5bZ/PYTWNBZBEF.php HTTP GET request for /IaPk7PC5bZ/customer.php |
customer.appmys-ups.org | Domain name | Hosts download for malicious RTF document Resolves to 118.67.250.91 HTTP GET request for /B4VByTbwk4/PYTWNBZBEF.php HTTP GET request for /B4VByTbwk4/customer.php |
customer.appmys-ups.com | Domain name | Hosts download for malicious RTF document Resolves to 118.67.250.91 HTTP GET request for /B4VByTbwk4/PYTWNBZBEF.php HTTP GET request for /B4VByTbwk4/customer.php |
static.invoice-appmy.com | Domain name | Hosts download for malicious RTF document Resolves to 118.67.250.91 HTTP GET request for /Om7T4PaFJ9/PYTWNBZBEF.php HTTP GET request for /Om7T4PaFJ9/customer.php |
luxlibertins.com | Domain name | Hosts download of malicious RTF document Resolves to 213.186.33.87 HTTP GET request for /statement.doc |
158.255.2.60 | IP address | Associated IP address of C2 and data exfiltration server ASN: AS49335 Navitel Rusconnect Ltd ISP: Mir Telematiki Ltd Country: Russian Federation |
146.0.79.146 | IP address | Associated IP address of C2 and data exfiltration server ASN: 57043; HOSTKEY-AS HOSTKEY B.V. Country: Netherlands |
118.67.250.91 | IP address | Associated IP address of C2 and data exfiltration server ASN: AS17447; NET4-IN Net4India Ltd Country: India |
5.199.171.131 | IP address | Associated IP address of C2 and data exfiltration server ASN: AS16125; UAB Duomenu Centras Country: Cyprus / Lithuania |
5.199.171.132 | IP address | Associated IP address of C2 and data exfiltration server ASN: AS16125; UAB Duomenu Centras Country: Cyprus / Lithuania |
5.199.171.133 | IP address | Associated IP address of C2 and data exfiltration server ASN: AS16125; UAB Duomenu Centras Country: Cyprus / Lithuania |
ad0ef249b1524f4293e6c76a9d2ac10d | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
e335af83d768498505957df217a1c46c1a0ee6cbdf 884d7a11166831dbd5e825 |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
7500198c94051785a68addc5f264a10f | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
71e8c525d8399c2285dc2c06b09a6779078c782f 52682000c2633f4ffc6773fa |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
ae83982f1ac50b4b08d7e509bc9cfc45 | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
072b71c0ec67ff541b1fda21c4df5cc74ea3ef32254 6916214860529a9a2254a |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
8244c515873ecc466ebf3be970477c04 | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
53c45ce4b80ade517afc6b2969d054063893418d ab41f5832df3a41b625f1e64 |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
625eb0ba883eece4edb7b09602d7da78 | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
7ae68e2ea93115a786e902ab98f104e22ef38d9f91 36d6155e45653bd1ed4e6b |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
a0b05cf03031edcdd4e4dd1e8f786255 | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
2c06345b8ad01ea872cee37c71deab1aada22836e 9f2788919480264ef9dc218 |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
b20d0254faedc6608d640290aeb20b4a | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
6c654921074a82ff6f4a6309b5dfa94587efcb81cd 3d8559eac3488102f51d0a |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
153a5282bcee2b9a3d0a13da13b79718 | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
5538bf5442e76ff47f2713f0d82064083262193c5c de660dbcbce7e873dd8532 |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
7c2fd4abfe8640f8db0d18dbecaf8bb4 | MD5 hash | Malicious document containing exploit for CVE-2012-0158 |
ccf7fed174dc9864c810d1c53b1ba7dfedede41cc9 fd2ec82d85ec865ca67db8 |
SHA256 hash | Malicious document containing exploit for CVE-2012-0158 |
62e25cc76291a3f348324172ff306ba0 | MD5 hash | Malicious binary (Liftoh downloader) |
83f4b9560085c1f8eee3c43235c74c9152289ffe8c ae141f80f1fba9e26d8281 |
SHA256 hash | Malicious binary (Liftoh downloader) |
a4746ecbb7dc5a9856a15ba80cc2cc3d | MD5 hash | Malicious binary (Liftoh downloader) |
8a4a8ffad419e2a39a20b2c491f59d54b9ba014dcf 7671552bd34fec90649300 |
SHA256 hash | Malicious binary (Liftoh downloader) |
d8362a96f0f2920a82d8f41ec342a679 | MD5 hash | Malicious binary (Liftoh downloader) |
43bdb0fa301d758c0b72b69258fc09a1d9cec57c6 dcd032bea915705de0e13d3 |
SHA256 hash | Malicious binary (Liftoh downloader) |
61b384950ca6586b35898b2223d36f37 | MD5 hash | Malicious binary (Bitcoin miner (BitWall), secondary payload) |
dfbd4ce72503b9558a4ba872c0d5d6ffa62727f5d7 74284c17b8a15c8f5e807c |
SHA256 hash | Malicious binary (Bitcoin miner (BitWall), secondary payload) |
18a429ffa3441df8edb200f92806f720 | MD5 hash | Malicious binary (Phopifas worm (Dorkbot, Skypii), secondary payload) |
d4ca04308caf0e2496b008376d3b124e73a463ed 27e4defe0d5c46664b08c79a |
SHA256 hash | Malicious binary (Phopifas worm (Dorkbot, Skypii), secondary payload) |
e2ee9453132f90c2e9b8a0bccb2f605d | MD5 hash | Malicious binary (Zeus/Zbot variant, secondary payload) |
b4e57e2ac90a7758c09f0a975f3382673ddcdcec1 b39e68eef8dac17158c0136 |
SHA256 hash | Malicious binary (Zeus/Zbot variant, secondary payload) |
f6b201fb248a0fcd31b0488449776a9f | MD5 hash | Malicious binary (Zeus/Zbot variant, secondary payload) |
aae885295762461c4aabe1fc826b0dcc93762b9c 96ef4c93122751c321261028 |
SHA256 hash | Malicious binary (Zeus/Zbot variant, secondary payload) |
e5e1ee559dcad00b6f3da78c68249120 | MD5 hash | Malicious binary (Zeus/Zbot variant, secondary payload) |
889589844d0f6a79dfff7de99e165d7ba796b26c9f d4c8e059db36d509d6b549 |
SHA256 hash | Malicious binary (Zeus/Zbot variant, secondary payload) |
015e60d0ddff09d7df66d926d3793cc8 | MD5 hash | Malicious self-extracting RAR archive executable |
2695e33e671c4eee1e55ad534d9b33445a56b8ffe ff50b7c63fa12f266de1088 |
SHA256 hash | Malicious self-extracting RAR archive executable |
718532b47f2ae3006df2268ba3d1f5b9 | MD5 hash | Malicious self-extracting RAR archive executable |
e65e8ba751fa23414c045bad5333af3f7cfe453599 bea7cdd15403c36a132fd6 |
SHA256 hash | Malicious self-extracting RAR archive executable |
invoiceBQW8OYJDDGXIPN8H63.doc | Filename | Malicious RTF file containing exploit |
invoiceAAILWKQFKA3IMK6BGW.doc | Filename | Malicious RTF file containing exploit |
invoiceU6GCMXGLL2O0N7QYDZ.doc | Filename | Malicious RTF file containing exploit |
invoiceCM0V9ORWJF23KX8PAP.PDF.exe | Filename | Malicious self-extracting RAR archive executable |
fotos_facebook-20052013-png.exe | Filename | Malicious binary |
adcbfbcebcfsacfsfdsf.exe | Filename | Malicious binary |
afdaafdebcfsacfsfdsf.exe | Filename | Malicious binary |
cabcbfdbeffbfcsacfsfdsf.exe | Filename | Malicious binary |
ccbaddaabdfsacfsfdsf.exe | Filename | Malicious binary |
dbcdfbfbbebsacfsfdsf.exe | Filename | Malicious binary |
dfbbffbabeadfbsacfsfdsf.exe | Filename | Malicious binary |
fbaaddacacsacfsfdsf.exe | Filename | Malicious binary |
-1_cc_fabbc6a1-c573-4ea0-9ca1- 50004b35a440sacfsfdsf |
Mutex | Runtime Mutex created by malware |
-3__fabbc6a1-c573-4ea0-9ca1- 50004b35a440sacfsfdsf |
Mutex | Runtime Mutex created by malware |
Table 2. Indicators related to Liftoh downloader spam campaign.