LinkedIn information used to spread banking malware in the Netherlands


Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail:

Geachte Firstname Lastname,
RoleCompany
Wij schrijven u in verband met de factuur met nummer 014321463. De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro. Vriendelijk verzoeken wij u het openstaande bedrag te betalen.
Betaling graag zo spoedig mogelijk.
Met vriendelijke groet,
A.E. De Kuiper, BEEREJAN HOLDING BV. Faisantenstraat 53 Hilversum 1211 PT Tel. +31180647000 Fax. +31294484970

The first name, last name, role and company name are all values that are taken from the LinkedIn page of the receiver of the phishing mail, giving the e-mail a very personalized look.

The subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:

  • Company : De nota is nog niet betaald
  • Company – De nota is onbetaald gebleven
  • Company – Uw laatste factuur wacht op betaling

At this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.

The e-mail contains a Word document with a Macro.
The name of the document is also based on personal information of the receiver:

  • Company-Firstname-Lastname.doc

Screenshot phishing campagin

The content of the Word document appears to be scrambled, this is an attempt to trick the user into running the embedded Macro, in order to view the document.

The Macro retrieves a binary from the following (likely compromised) website:

  • ledpronto.com/app/office.bin (sha256: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)

The Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda, in this case, always connects to the following domain & IP using SSL:

  • skorianial.com / 107.171.187.182

Zeus Panda is a type of banking malware based on Zeus source code, more information can be found here: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

The following SSL certificate is used by the Panda Zeus Command and Control server:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b3:41:c8:fd:5c:fa:8f:a5
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com
Validity
Not Before: Jun 4 10:15:01 2016 GMT
Not After : Jun 4 10:15:01 2017 GMT
Subject: C=XX, ST=1, L=1, O=1, OU=1, CN=107.181.187.182/emailAddress=box@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:f8:01:58:6d:4e:c8:99:0f:28:f4:10:72:11:fd:
3c:63:6d:30:fe:5a:f3:91:ef:22:b3:22:dd:f7:c5:
88:c3:f8:90:fc:5c:cd:e3:86:5c:89:1a:6c:68:60:
0f:dd:e7:c0:20:01:f8:fb:21:a6:03:55:ce:59:f9:
b8:57:cc:71:b0:56:58:27:8b:14:82:45:d2:ef:af:
e3:79:d3:b3:36:68:ff:06:8c:e6:22:f3:67:1e:18:
40:10:d4:69:bf:a4:ce:d7:c9:8e:31:40:10:85:90:
08:b8:66:cf:45:0f:55:31:57:98:c1:8c:09:f0:c0:
7a:3e:5e:ca:0f:a5:63:28:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
31:C6:EA:3E:1F:31:0A:6B:8F:EE:41:65:E7:13:7C:2B:4F:1B:28:A1
X509v3 Authority Key Identifier:
keyid:31:C6:EA:3E:1F:31:0A:6B:8F:EE:41:65:E7:13:7C:2B:4F:1B:28:A1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
5e:e6:4c:c2:58:14:26:f3:b2:b8:a4:09:3a:6f:93:84:c2:e6:
5d:e1:35:5f:7a:97:27:dd:0c:fe:a8:7e:4a:e4:cc:08:e7:d6:
af:06:89:a3:5e:59:87:58:dd:ae:b1:1e:8a:62:ad:32:db:f2:
bc:a0:ef:f0:8c:ff:56:09:a0:f7:24:1a:4e:4e:00:c1:66:89:
ff:6c:0c:49:dd:24:f8:89:81:98:e5:ca:3f:5d:e5:6f:7d:50:
2e:3a:2e:26:b8:bf:ab:1b:9d:2b:7b:d7:82:3c:70:7d:9a:ae:
96:49:bc:e7:8b:39:db:16:f1:f5:6f:fb:22:13:55:47:3a:9a:
03:b9
—–BEGIN CERTIFICATE—–
MIICvDCCAiWgAwIBAgIJALNByP1c+o+lMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
BAYTAlhYMQowCAYDVQQIDAExMQowCAYDVQQHDAExMQowCAYDVQQKDAExMQowCAYD
VQQLDAExMRgwFgYDVQQDDA8xMDcuMTgxLjE4Ny4xODIxHjAcBgkqhkiG9w0BCQEW
D2JveEBleGFtcGxlLmNvbTAeFw0xNjA2MDQxMDE1MDFaFw0xNzA2MDQxMDE1MDFa
MHcxCzAJBgNVBAYTAlhYMQowCAYDVQQIDAExMQowCAYDVQQHDAExMQowCAYDVQQK
DAExMQowCAYDVQQLDAExMRgwFgYDVQQDDA8xMDcuMTgxLjE4Ny4xODIxHjAcBgkq
hkiG9w0BCQEWD2JveEBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA+AFYbU7ImQ8o9BByEf08Y20w/lrzke8isyLd98WIw/iQ/FzN44ZciRps
aGAP3efAIAH4+yGmA1XOWfm4V8xxsFZYJ4sUgkXS76/jedOzNmj/BozmIvNnHhhA
ENRpv6TO18mOMUAQhZAIuGbPRQ9VMVeYwYwJ8MB6Pl7KD6VjKOcCAwEAAaNQME4w
HQYDVR0OBBYEFDHG6j4fMQprj+5BZecTfCtPGyihMB8GA1UdIwQYMBaAFDHG6j4f
MQprj+5BZecTfCtPGyihMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
XuZMwlgUJvOyuKQJOm+ThMLmXeE1X3qXJ90M/qh+SuTMCOfWrwaJo15Zh1jdrrEe
imKtMtvyvKDv8Iz/Vgmg9yQaTk4AwWaJ/2wMSd0k+ImBmOXKP13lb31QLjouJri/
qxudK3vXgjxwfZqulkm854s52xbx9W/7IhNVRzqaA7k=
—–END CERTIFICATE—–

view raw
skorianial.com.pem
hosted with ❤ by GitHub

If you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.