Malicious Word Doc Downloads Nymaim and Info Stealer

NOTES:
Yesterday another mass mal-spam campaign was conducted. @GossiTheDog on Twitter in England has been my early warning detection system in the last two campaigns. Shortly after, this malicious Word Doc began to make it thru email content filters in New York. Analysis of the infection chain and post infection traffic appears to be a variant of Nymaim and other info stealing Trojans. Traffic is similar to an earlier post on April 6th 2016 “Malicious Word Doc sends Nyman“. Below is the associated traffic.

 

ASSOCIATED DOMAINS:

160.153.16.52 – banyoperdem.com – GET /system/logs/office.exe – Nymaim DOWNLOAD
85.171.195.89 – ytugctbfm.com – POST /bewfa5ovkx/index.php – Nymaim POST INFECTION TRAFFIC
85.171.195.89 – nylon.com – POST /dmmclxrc.php? – POST INFECTION TRAFFIC
85.171.195.89 – nylon.com – POST /yhsv.php? – POST INFECTION TRAFFIC
85.171.195.89 – nylon.com – POST /nwl.php? – POST INFECTION TRAFFIC
85.171.195.89 – nylon.com – POST /favvmtdr.php? – POST INFECTION TRAFFIC

ASSOCIATED DOMAINS REBOOT ONE:

80.130.194.176 – yoox.com – POST /lqgkp.php?
72.23.220.121 – sixt.com – POST /ksa.php?
85.219.200.8 – carvezine.com – POST /ilotuio.php?
209.11.159.179 – iwc.com – POST /mfaaex.php?

ASSOCIATED DOMAINS REBOOT TWO:

66.91.108.190 – carvezine.com – POST /dri.php?
66.133.233.167 – nylon.com – POST /puixu.php?
76.2.172.107:38472 – POST /vdszg.php?
76.2.172.107:38472 – POST /nnif.php?
178.200.149.190 – yoox.com – POST /irxob.php?
74.143.127.254 – yoox.com – POST /uxeoi.php?

 

IMAGES and DETAILS:

2016-04-18-1aShown above: Malicious Word Doc attempting to trick user into Enabling Content [MACROS]

 

Shown above: After Enabling Content infection chain starts by downloading “office.exe” and its associated POST “index.php” after installation.

 

Shown above: Nymaim payload as an application

 

Shown above: DNS query to domain hosting Nymaim download using local DNS.

 

Shown above: Post infection Trojan uses Google’s free DNS 8.8.8.8.

NOTE:
This was the last DNS traffic I saw during infection. It appears the malware is communicating via ip addresses and injecting fake domain names such as “nylon.com” and “yoox.com” into header.

 

Shown above: Post infection traffic from initial infection

 

Shown above: Post infection traffic from infected computer reboot one. No DNS traffic associated with this capture

 

Shown above: Post infection traffic from infected computer reboot two. No DNS traffic associated with this capture

 

PAYLOAD FROM MALICIOUS WORD DOCUMENT:

  • 2016-04-18.doc
    Malwr.com Download
  • 2016-04-18-battery-6.exe
    PAYLOAD DIRECTORY STRUCTURE:
    C:\Users\%USERNAME%\AppData\Roaming\battery-6\
    START-UP
    C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\battery-27.lnk
    Virus Total
    Malwr.com Download
  • 2016-04-18-inrush-3.exe
    PAYLOAD DIRECTORY STRUCTURE
    C:\ProgramData\inrush-4\
    Virus Total
    Malwr.com Download
  • 2016-04-18-megabaud-37.exe
    PAYLOAD DIRECTORY STRUCTURE
    C:\ProgramData\megabaud-31\
    START-UP
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Virus Total
    Malwr.com Download
  • 2016-04-18-xmitter-88.exe
    PAYLOAD DIRECTORY STRUCTURE
    C:\Users\%USERNAME&\AppData\Roaming\xmitter-74\
    START-UP
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    Virus Total
    Malwr.com Download