Gama-rue, Where Are You!

Published: 2011-12-01. Last Updated: 2011-12-01 15:02:26 UTC
by Russ McRee (Version: 1)
6 comment(s)

Here’s one that’s making the rounds over the last few days and showed up  in my SPAM folder with a helpful attachment. I'm one of those weird people who look to explore the depths of said SPAM folder to see what fun I might find therein.

As an example:
 
From: "United States Postal Service" <info@usps.com>
Subject: USPS Delivery Failure Notification
 
Hello!
Unfortunately we failed to deliver the postal package you have sent on the…blah, blah, blah.
 
Ruh-roh!
The attachment is USPS report.pdf.zip and once unpacked yields USPS report.pdf.exe (MD5: 1fd6c3470b81f278572a27a1bf34cdf2)
A hash search finds this sample already submitted to ThreatExpert and VirusTotal yielding results that refer to the Gamarue family (multiple variants).
Nothing groundbreaking, downright pedestrian even, but bear with me. References to Gamarue.B show up in query results as of late September 2011; you may have seen similar with regard to ACH or Federal Reserve SPAM.
Data from the Microsoft Malware Protection Center shows a steady level of activity for the family overall and indications of this sample as new variant in the last couple of days (per the hash).
This particular sample, as is consistent with other Gamarue samples, modifies HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run and injects itself into wuauclt.exe.
 
These little exercises are always an opportunity to run output though some of my favorite tools (unabashed tool geek).
I ran the PCAP acquired during runtime through NetworkMiner 1.2 which reassembled the following malware downloaded when it phoned home to 85.121.38.27 (htobertur.ru):
Trojan:Win32/FakeSysdef (MD5: 8ae00c31b5546ee5a1b107c997171bde)
Trojan.Win32.Scar.fevl (MD5: d476533ea0aacb8244dfe0f5e65862a9)
A quick review of the Romanian ASN (AS43215 Monyson Grup S.A.) for the above mentioned IP address shows a tendency towards association with the likes of Blackhole (as referred to in Pedro’s diary), fake AV, pharma SPAM, Zeus, SpyEye, and other instruments of ne'er do wells and malcontents. Zoinks!  
A quick Maltego run on Monyson Grup S.A. as a phrase entity proves this out.

As a friend commented with both humor and sincerity: stay out of that neighborhood.
"And they would have gotten away with it too, if it weren't for those meddling kids…"
 
Keywords:
6 comment(s)

Comments

Which SANS track covers using Maltego? It's been 5 years since I've even looked at the tool but it always seemed like an extremely powerful framework.
Jason, I know GCIH, GPEN, and GWAPT cover it to varying degrees. Not sure if its been added to GCFA...
our barracuda is full of this tat.
Received one yesterday that appears to be a variation, had DHL instead of USPS
Isn't a bit ironic that comment spam made it into an ISC Diary about spam?
it is. hard to keep up with it at times. Luckily, we don't get to much of it (one reason you need to log in to post) and that links are not clickable.

For others: The spam has now been deleted.

Diary Archives