{"id":7039,"date":"2014-01-15T15:18:30","date_gmt":"2014-01-15T15:18:30","guid":{"rendered":"http:\/\/www.bsk-consulting.de\/?p=766"},"modified":"2022-03-25T14:12:05","modified_gmt":"2022-03-25T13:12:05","slug":"malware-welle-januar-2014","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/","title":{"rendered":"Malware Welle – Januar 2014"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.22″][et_pb_row admin_label=”row” _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.4.3″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]Derzeit rollt eine interessante Mail-Welle durch Deutschland und adressiert vor allem deutsche Unternehmen.\u00a0Es handelt sich wie \u00fcblich um eine Rechnung von “Telekom\/Vodafon\/Volksbank”, die als Link in der Mail hinterlegt ist.
\n

\"Telekom

Telekom Rechnung mit Link auf Cridex Malware<\/p><\/div>
\nDer Link verweist nicht auf eine EXE oder ZIP sondern auf ein directory.\u00a0Zur\u00fcckgeliefert wird beim Aufruf aber ein ZIP File. Im ZIP befindet sich eine Executable, die bis vor einigen Stunden noch von keinem AV Hersteller erkannt wurde.
\nAuch jetzt ist die Erkennungsrate noch relativ schlecht.
\nDir URLs kann man in ProxyLogs eventuell an folgenden Strings erkennen<\/p>\n

URL Strings<\/h2>\n

\/volksbank\/
\n\/telekom\/
\n\/vodafon\/
\n\/NTTCable\/<\/p>\n

TLDs<\/h2>\n

Die TLDs waren h\u00e4ufig \u2013 aber nicht immer – \u201c.ru\u201d Domains.<\/p>\n

Sandboxing<\/h2>\n

Die \u00fcblichen Sandboxen haben Probleme mit der Analyse des Samples.<\/p>\n

Virustotal Report<\/h2>\n

https:\/\/www.virustotal.com\/en\/file\/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e\/analysis\/<\/a><\/p>\n

YARA Rule (u.a. f\u00fcr FireEye geeignet)<\/h2>\n


\nrule Malware_Cridex_Generic {
\nmeta:
\ndescription = \"Rule matching Cridex-C Malware distributed in a German Campaign, January 2014 (Vodafone, Telekom, Volksbank bills)\"
\nauthor = \"F. Roth\"
\ndate = \"2014-01-15\"
\nreference = \"https:\/\/www.virustotal.com\/en\/file\/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e\/analysis\/\"
\nhash = \"86d3e008b8f5983c374a4859739f7de4\"
\nstrings:
\n$c1 = \"NEWDEV.dll\" fullword
\n$c2 = \"COMUID.dll\" fullword
\n$a1 = \"\\\\>:t; brIs\" fullword
\n$a2 = \"C:\\\\RcbmbtJK\" fullword
\ncondition:
\n1 of ($a*) or all of ($c*)
\n}
\n<\/code><\/p>\n

User Agent – harter Indikator<\/h2>\n

TLP Green – nur auf Anfrage<\/p>\n

C2 Server<\/h2>\n

TLP Green – nur auf Anfrage<\/p>\n

Informationen zur Malware-Kampagne<\/h2>\n

http:\/\/blog.mxlab.eu\/2014\/01\/14\/fake-email-from-t-mobile-with-online-invoice-for-january-2014-leads-to-malware\/<\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

Derzeit rollt eine interessante Mail-Welle durch Deutschland und adressiert vor allem deutsche Unternehmen.\u00a0Es handelt sich wie \u00fcblich um eine Rechnung von “Telekom\/Vodafon\/Volksbank”, die als Link in der Mail hinterlegt ist. Der Link verweist nicht auf eine EXE oder ZIP sondern auf ein directory.\u00a0Zur\u00fcckgeliefert wird beim Aufruf aber ein ZIP File. Im ZIP befindet sich eine Executable, die bis vor einigen Stunden noch von keinem AV Hersteller erkannt wurde. Auch jetzt ist die Erkennungsrate noch relativ schlecht. Dir URLs kann man in ProxyLogs eventuell an folgenden Strings erkennen URL Strings \/volksbank\/ \/telekom\/ \/vodafon\/ \/NTTCable\/ TLDs Die TLDs waren h\u00e4ufig \u2013 aber nicht immer – \u201c.ru\u201d Domains. Sandboxing Die \u00fcblichen Sandboxen haben Probleme mit der Analyse des Samples. Virustotal Report https:\/\/www.virustotal.com\/en\/file\/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e\/analysis\/ YARA Rule (u.a. f\u00fcr FireEye geeignet) rule Malware_Cridex_Generic { meta: description = “Rule matching Cridex-C Malware distributed in a German Campaign, January 2014 (Vodafone, Telekom, Volksbank bills)” author = “F. Roth” date = “2014-01-15” reference = “https:\/\/www.virustotal.com\/en\/file\/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e\/analysis\/” hash = “86d3e008b8f5983c374a4859739f7de4” strings: $c1 = “NEWDEV.dll” fullword $c2 = “COMUID.dll” fullword $a1 = “\\\\>:t; brIs” fullword $a2 = “C:\\\\RcbmbtJK” fullword condition: 1 of ($a*) or all of ($c*) } User Agent – harter Indikator TLP Green – nur auf Anfrage C2 Server TLP […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"Derzeit rollt eine interessante Mail-Welle durch Deutschland und adressiert vor allem deutsche Unternehmen.\u00a0Es handelt sich wie \u00fcblich um eine Rechnung von \"Telekom\/Vodafon\/Volksbank\", die als Link in der Mail hinterlegt ist.\r\n[caption id=\"attachment_774\" align=\"alignnone\" width=\"439\"]\"Telekom<\/a> Telekom Rechnung mit Link auf Cridex Malware[\/caption]\r\nDer Link verweist nicht auf eine EXE oder ZIP sondern auf ein directory.\u00a0Zur\u00fcckgeliefert wird beim Aufruf aber ein ZIP File. Im ZIP befindet sich eine Executable, die bis vor einigen Stunden noch von keinem AV Hersteller erkannt wurde.\r\nAuch jetzt ist die Erkennungsrate noch relativ schlecht.\r\nDir URLs kann man in ProxyLogs eventuell an folgenden Strings erkennen\r\n

URL Strings<\/h2>\r\n\/volksbank\/\r\n\/telekom\/\r\n\/vodafon\/\r\n\/NTTCable\/\r\n

TLDs<\/h2>\r\nDie TLDs waren h\u00e4ufig \u2013 aber nicht immer - \u201c.ru\u201d Domains.\r\n

Sandboxing<\/h2>\r\nDie \u00fcblichen Sandboxen haben Probleme mit der Analyse des Samples.\r\n

Virustotal Report<\/h2>\r\nhttps:\/\/www.virustotal.com\/en\/file\/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e\/analysis\/<\/a>\r\n

YARA Rule (u.a. f\u00fcr FireEye geeignet)<\/h2>\r\n\r\nrule Malware_Cridex_Generic {\r\nmeta:\r\ndescription = \"Rule matching Cridex-C Malware distributed in a German Campaign, January 2014 (Vodafone, Telekom, Volksbank bills)\"\r\nauthor = \"F. Roth\"\r\ndate = \"2014-01-15\"\r\nreference = \"https:\/\/www.virustotal.com\/en\/file\/519120e4ff6524353247dbac3f66e6ddad711d384e317923a5bb66c16601743e\/analysis\/\"\r\nhash = \"86d3e008b8f5983c374a4859739f7de4\"\r\nstrings:\r\n$c1 = \"NEWDEV.dll\" fullword\r\n$c2 = \"COMUID.dll\" fullword\r\n$a1 = \"\\>:t; brIs\" fullword\r\n$a2 = \"C:\\RcbmbtJK\" fullword\r\ncondition:\r\n1 of ($a*) or all of ($c*)\r\n}\r\n<\/code>\r\n

User Agent - harter Indikator<\/h2>\r\nTLP Green - nur auf Anfrage\r\n

C2 Server<\/h2>\r\nTLP Green - nur auf Anfrage\r\n

Informationen zur Malware-Kampagne<\/h2>\r\nhttp:\/\/blog.mxlab.eu\/2014\/01\/14\/fake-email-from-t-mobile-with-online-invoice-for-january-2014-leads-to-malware\/<\/a>","_et_gb_content_width":"","footnotes":""},"categories":[327],"tags":[422,423,424,425,124,426,427,428,429,430,72],"class_list":["post-7039","post","type-post","status-publish","format-standard","hentry","category-alert","tag-anhang","tag-cridex","tag-januar","tag-mail","tag-malware","tag-rechnung","tag-spam","tag-telekom","tag-vodafon","tag-volksbank","tag-zip"],"yoast_head":"\nMalware Welle - Januar 2014 - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Malware Welle – Januar 2014\",\"datePublished\":\"2014-01-15T15:18:30+00:00\",\"dateModified\":\"2022-03-25T13:12:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/\"},\"wordCount\":265,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"Anhang\",\"Cridex\",\"Januar\",\"Mail\",\"malware\",\"Rechnung\",\"SPAM\",\"Telekom\",\"Vodafon\",\"Volksbank\",\"zip\"],\"articleSection\":[\"Alert\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/\",\"name\":\"Malware Welle - Januar 2014 - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2014-01-15T15:18:30+00:00\",\"dateModified\":\"2022-03-25T13:12:05+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Welle - Januar 2014 - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Malware Welle – Januar 2014","datePublished":"2014-01-15T15:18:30+00:00","dateModified":"2022-03-25T13:12:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/"},"wordCount":265,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["Anhang","Cridex","Januar","Mail","malware","Rechnung","SPAM","Telekom","Vodafon","Volksbank","zip"],"articleSection":["Alert"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/","url":"https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/","name":"Malware Welle - Januar 2014 - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2014-01-15T15:18:30+00:00","dateModified":"2022-03-25T13:12:05+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2014\/01\/15\/malware-welle-januar-2014\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7039"}],"version-history":[{"count":3,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7039\/revisions"}],"predecessor-version":[{"id":7586,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7039\/revisions\/7586"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}