Read more of this story at Slashdot.
Introduction
Earlier today (Wednesday2015-11-25), one of our readers notified the ISC of malicious spam (malspam) with a Word document designed to infect a Windows computer with malware. I found examplesof the malspam and looked into it. Word documents from this particular campaign will download Pony malware which will infect a Windows computer with Vawtrak. Themalspam was blocked by our spam filters, but others might seethis, so Im posting this information in a diary.
Thanks for the heads up, Travis!
The emails
The emails spoof your company name (or whatever domain youre using for your email address), and they have a Microsoft Word document as an attachment. The ones Ive found have">From: accounting@[your company].com
Reply-To: accounting@[your company].com">---
Este email est livre de vrus e malware porque a proteo avast! Antivirus est">Attachment: Bill.doc
have a notification at the bottom stating This email is free of viruses and malware protection because the Avast! Antivirus is active. These antivirusmessages were all in different languages, based on the host these emails were sent" />
Shown above: Example of the malspamwith a different language for the antivirusnotification.
We saw this malspam come from senders at the following IP addresses:
The attachment
The attachment is a Microsoft Word document with malicious macros. The sample had already been submitted to VirusTotal (link), but it only had a 1 / 55 detection rate when I first checked. I enabled the documents macros in a controlled environment toinfect" />
Shown above: The maliciousdocumentopened in Word2007.
The infection" />
Shown above: A pcap of the infectiontraffic filtered in Wireshark by HTTP request.
ection traffic using Security Onion with the EmergingThreats Pro signature set. " />
Shown above: Some of the alerts in Sguil on Security Onion.
The following IP addresses and domain names were associated with this Pony/Vawtrak infection:
Malware and artifacts from the infected host
The Word document caused the following artifacts to appear in the infecteduser" />
Shown above: Artifacts from the infected users AppData/Local/Temp directory.
Both st11.exe and 721723.exe deleted themselves shortly after appearing in thedirectory. st11.exeis the Pony downloader. 721723.exeis Vawtrack, which copied itself to another directory and updated the infected host" />
Shown above: The Vawtrak malware from this infection.
Final words
Malspamwith a Word document that causes Pony to download more malware is not uncommon. Its just another example of the many types of malspam we see blocked by our spam filters on a daily basis.
Email examples, traffic, and malware from this diary can be found here.
Many thanks to our readers, who continue to notifyus of suspicious activity!
---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
Read more of this story at Slashdot.
Hello again.
I have been working on the editor, and have implemented a few minor fixes and one major fix. It should look and feel quite a bit tighter now.
So if you have a moment...
Please report any problems.
Thank you!