Installation
This threat usually arrives on your PC as a Windows Cabinet archive file (.cab) attached to a spam email. We have seen the attachment use the following file names:
- CA-77509WAF-88414.cab
- DO-64647JYG-84271.cab
- DO-64647JYG-84271.cab
- DOGE-41300LEX-96167.cab
- LE-75482VE-87616.cab
- NY-92939JOB-11883.cab
- TIW-42068GEJE-40781.cab
- WIZA-32992ZURA-35632.cab
- XO-80756NE-25867.cab
Below is an example of the spam email:
From: <sender name> <email>
Date: 16 December 2014 at 13:32
Subject: Attention: BE-99298QES-37681
To: <EMAIL>
===========================================
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
===========================================
Notification Number: 3222619
Mandate Number: 4440667
Date: December 16, 2014. 02:13pm
In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file "BE-99298QES-37681.cab" for details.
Sincerely,
<SENDER NAME>
+07700 18 51 04
The attached .cab file contains a file with the same file name as the .cab file but with a .scr extension. The file uses the Microsoft Word icon, but is actually an executable file that will run if you double click it or try to open it.
The .scr file might look like the following:
Payload
Downloads updates and other malware
When the .scr file is run or opened, it will try to contact a remote server to download other threats.
It also extracts another .cab file that contains a non-malicious Microsoft Word document (.rtf file). It does this to trick you into thinking the .scr file is a harmless Word document.
The .rtf file is usually dropped in the %TEMP% folder using a random file name, for example %TEMP%\52764265.cab.
See the sample .rtf file below:
The .scr file checks for an Internet connection by connecting to a legitimate website, for example windowsupdate.microsoft.com. It then connects to a remote host to download other malware. The remote host's address is hard-coded into the malware.
We have seen it try to connect to the following hosts and download files:
- dequinnza<removed>/language/upupup.tar.gz
- fotocb.<removed>/upupup.tar.gz
- lamas<removed>/picture_library/upupup.tar.gz
- stmarys-andover.<removed>/upupup.tar.gz
The downloaded file can include updates or other malware. We have seen this threat download the following malware:
Analysis by Rex Plantado
