Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail:
Geachte Firstname Lastname, Role, Company
Wij schrijven u in verband met de factuur met nummer 014321463. De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro. Vriendelijk verzoeken wij u het openstaande bedrag te betalen.
Betaling graag zo spoedig mogelijk.
Met vriendelijke groet,
A.E. De Kuiper, BEEREJAN HOLDING BV. Faisantenstraat 53 Hilversum 1211 PT Tel. +31180647000 Fax. +31294484970
The first name, last name, role and company name are all values that are taken from the LinkedIn page of the receiver of the phishing mail, giving the e-mail a very personalized look.
The subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:
- Company : De nota is nog niet betaald
- Company – De nota is onbetaald gebleven
- Company – Uw laatste factuur wacht op betaling
At this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.
The e-mail contains a Word document with a Macro.
The name of the document is also based on personal information of the receiver:
- Company-Firstname-Lastname.doc
The content of the Word document appears to be scrambled, this is an attempt to trick the user into running the embedded Macro, in order to view the document.
The Macro retrieves a binary from the following (likely compromised) website:
- ledpronto.com/app/office.bin (sha256: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)
The Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda, in this case, always connects to the following domain & IP using SSL:
- skorianial.com / 107.171.187.182
Zeus Panda is a type of banking malware based on Zeus source code, more information can be found here: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
The following SSL certificate is used by the Panda Zeus Command and Control server:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| b3:41:c8:fd:5c:fa:8f:a5 | |
| Signature Algorithm: sha1WithRSAEncryption | |
| Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com | |
| Validity | |
| Not Before: Jun 4 10:15:01 2016 GMT | |
| Not After : Jun 4 10:15:01 2017 GMT | |
| Subject: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (1024 bit) | |
| Modulus: | |
| 00:f8:01:58:6d:4e:c8:99:0f:28:f4:10:72:11:fd: | |
| 3c:63:6d:30:fe:5a:f3:91:ef:22:b3:22:dd:f7:c5: | |
| 88:c3:f8:90:fc:5c:cd:e3:86:5c:89:1a:6c:68:60: | |
| 0f:dd:e7:c0:20:01:f8:fb:21:a6:03:55:ce:59:f9: | |
| b8:57:cc:71:b0:56:58:27:8b:14:82:45:d2:ef:af: | |
| e3:79:d3:b3:36:68:ff:06:8c:e6:22:f3:67:1e:18: | |
| 40:10:d4:69:bf:a4:ce:d7:c9:8e:31:40:10:85:90: | |
| 08:b8:66:cf:45:0f:55:31:57:98:c1:8c:09:f0:c0: | |
| 7a:3e:5e:ca:0f:a5:63:28:e7 | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Subject Key Identifier: | |
| 31:C6:EA:3E:1F:31:0A:6B:8F:EE:41:65:E7:13:7C:2B:4F:1B:28:A1 | |
| X509v3 Authority Key Identifier: | |
| keyid:31:C6:EA:3E:1F:31:0A:6B:8F:EE:41:65:E7:13:7C:2B:4F:1B:28:A1 | |
| X509v3 Basic Constraints: | |
| CA:TRUE | |
| Signature Algorithm: sha1WithRSAEncryption | |
| 5e:e6:4c:c2:58:14:26:f3:b2:b8:a4:09:3a:6f:93:84:c2:e6: | |
| 5d:e1:35:5f:7a:97:27:dd:0c:fe:a8:7e:4a:e4:cc:08:e7:d6: | |
| af:06:89:a3:5e:59:87:58:dd:ae:b1:1e:8a:62:ad:32:db:f2: | |
| bc:a0:ef:f0:8c:ff:56:09:a0:f7:24:1a:4e:4e:00:c1:66:89: | |
| ff:6c:0c:49:dd:24:f8:89:81:98:e5:ca:3f:5d:e5:6f:7d:50: | |
| 2e:3a:2e:26:b8:bf:ab:1b:9d:2b:7b:d7:82:3c:70:7d:9a:ae: | |
| 96:49:bc:e7:8b:39:db:16:f1:f5:6f:fb:22:13:55:47:3a:9a: | |
| 03:b9 | |
| —–BEGIN CERTIFICATE—– | |
| MIICvDCCAiWgAwIBAgIJALNByP1c+o+lMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV | |
| BAYTAlhYMQowCAYDVQQIDAExMQowCAYDVQQHDAExMQowCAYDVQQKDAExMQowCAYD | |
| VQQLDAExMRgwFgYDVQQDDA8xMDcuMTgxLjE4Ny4xODIxHjAcBgkqhkiG9w0BCQEW | |
| D2JveEBleGFtcGxlLmNvbTAeFw0xNjA2MDQxMDE1MDFaFw0xNzA2MDQxMDE1MDFa | |
| MHcxCzAJBgNVBAYTAlhYMQowCAYDVQQIDAExMQowCAYDVQQHDAExMQowCAYDVQQK | |
| DAExMQowCAYDVQQLDAExMRgwFgYDVQQDDA8xMDcuMTgxLjE4Ny4xODIxHjAcBgkq | |
| hkiG9w0BCQEWD2JveEBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw | |
| gYkCgYEA+AFYbU7ImQ8o9BByEf08Y20w/lrzke8isyLd98WIw/iQ/FzN44ZciRps | |
| aGAP3efAIAH4+yGmA1XOWfm4V8xxsFZYJ4sUgkXS76/jedOzNmj/BozmIvNnHhhA | |
| ENRpv6TO18mOMUAQhZAIuGbPRQ9VMVeYwYwJ8MB6Pl7KD6VjKOcCAwEAAaNQME4w | |
| HQYDVR0OBBYEFDHG6j4fMQprj+5BZecTfCtPGyihMB8GA1UdIwQYMBaAFDHG6j4f | |
| MQprj+5BZecTfCtPGyihMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA | |
| XuZMwlgUJvOyuKQJOm+ThMLmXeE1X3qXJ90M/qh+SuTMCOfWrwaJo15Zh1jdrrEe | |
| imKtMtvyvKDv8Iz/Vgmg9yQaTk4AwWaJ/2wMSd0k+ImBmOXKP13lb31QLjouJri/ | |
| qxudK3vXgjxwfZqulkm854s52xbx9W/7IhNVRzqaA7k= | |
| —–END CERTIFICATE—– |
If you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.