Massive malware spam campain to corporate domains in Colombia

Published: 2015-05-01. Last Updated: 2015-05-01 18:46:28 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
6 comment(s)

There was a massive malware spam campain directed to corporate domains in Colombia. The following was the e-mail received:

ACH spam e-mail

Now this e-mail has two interesting aspects:

  • It is tracking if the user reads the message using the google analytics API by invoking the following:
    img src=3Dhttp://www.google-analytics.com/c=
    ollect?v=3D1&tid=3DUA-62115737-1&cid=3Dxx@xx.com&t=3De=
    vent&ec=3Dxx@xx.com&ea=3Dopens&el=3Dxx@xx.com&cs=3Dnewsletter&cm=3Demail&cn=3D062413&cm1=3D1?/
    
  • It has a link to a dropbox file being masqueraded with the google url redirection script:
    https://www.google.com/url?q=3Dhttps%3A%2F%=
    2Fwww.dropbox.com%2Fs%2Fvs5hho625v7ibw5%2FACH=5Ftransaction5721.doc%3Fdl%3D=
    1&sa=3DD&sntz=3D1&usg=3DAFQjCNFADf1fsGqdWqwSOnMC6XyLMHrL2w

When opened, this document has embedded a visual basic script that downloads a known trojan password stealer designed for colombian banks.

This domain uses a private registation service, avoiding to know the identity of the registrar:

frterminales private registration

Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
6 comment(s)

Comments

Whois History from Domain Tools reveals the registrant:

Registrant Name: Jonathan Moctezuma Olvera
Registrant Organization: X-Solutions
Registrant Street: Real de los Encinos23A real de atizapan
Registrant Street: Atizapan de Zaragoza
Registrant City: Estado de Mexico
Registrant State/Province: Mexico
Registrant Postal Code: 52945
Registrant Country: Mexico
Registrant Phone: +420.25179
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jmoctezuma@xsolutions.com.mx
Manuel,

Is there a way to open these emails while avoiding the tracking from triggering?
[quote]Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.[/quote]

Excellent advice and will add another layer. Numerous families I know have been hit when clicking on Google Images by their kids doing school work. Though I have reported @ least 25, I can only say Google is fast becoming quicksand at all levels. Another way I try to cut down is plug-ins to block GA and other beacons. Yes, it is a bit more work, however once compromised you wish you would have taken that extra time.

Nothing is fool proof, just add a heavy cup of common sense. Compute safe all.
thunderbird under linux will not open graphic file unless you tell it to. it will also allow you to preview the raw text of the email, including full headers. it will not send acknowledgement unless you tell it to. there are other mail clients that have similar features, but i am most familiar with thunderbird.
Aren't you lucky. :-) We've been getting these for about a month. The most recent versions contain a URL that's a google search link for a dropbox link which is hosting the actual malware...

I've been searching our mail logs for subjects that contain " ACH " and the words cancelled, aborted, denied, rejected. That finds most of them although there are a few other permutations too.
Warning: shameless plug follows: These were reported to me by a user before any automated tools began detecting/reporting/blocking these. We recently started using phishme.com to help educate the userbase and get them reporting phish more often than falling for them. We still have some users who fall for every phish they see but now I'm getting earlier reports of phish which means I can sometimes do a little malware/phish analysis and proactively block the phish and/or block URLs/hostnames before every user sees the phish and clicks on a link or opens an infected office or pdf file or runs the attached .exe/.scr/.com file, etc.

Diary Archives