Wednesday, 28 January 2015

Ctb-locker cab file malware

Cab file Ctb-locker malware on the loose....

Headers: (example)
Subject: Zion Pentecostal Church
Message body (example)
Zion Pentecostal Church
865 3rd av, Rivers, MB R0K 1X0

CANADA
204-314-7471
Attached to the email is a CAB file (Examples)
carrieres_de_lestuaire.cab
dodd_engineering_ltd.cab
industriestr_16_57076_siegen.cab
ing_thomas_teubl_and_ing_herbert_teubl_baugesmbh.cab
the_vein_institute_of_toronto.cab
zins_david_dr.cab
zion_pentecostal_church.cab

On the Windows machine, Inside the zip, is Windows executable
the_vein_institute_of_toronto.scr

Md5 Hashes:
1873939f2b6ea98d0617a56ce0c2b0c6  [1]

Others...

2f30ff2449ee4dc2707c6d6e1380233 :carrieres_de_lestuaire.cab
092e4eba24b6e8add9ac2c7fe4f3ea79 dodd_engineering_ltd.cab
8f307e9cee602263ac1c4f8ed5d83df3 :industriestr_16_57076_siegen.cab
3219aa4c435105bafa45d14bb9237a22 :ing_thomas_teubl_and_ing_herbert_teubl_ba
ugesmbh.cab
f2da91034128ca52b9dc08d9d1b5fcb5 the_vein_institute_of_toronto.cab
c2aa7dfc29269e1f3d1e0738679c5fb2 zins_david_dr.cab
457ae42e7a30d5273565d5ea45aca108 zion_pentecostal_church.cab

Malware Information:

VirusTotal Report [1] (hits 1/57 Virus Scanners)

Malwr Report [1]


Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

1 comment:

Chris said...

This is going to be a bit painful in the morning for a lot of people.

Seen a couple of hundred of these come in, all with 'random' names (the only pattern is that the Subject and the Attachment name are very similar), the subjects and the message text look completely malicious, so 99% of people 'probably' won't open these. Thankfully our users don't typically get CAB attachments so we can see them easily enough, blocking them is a different matter though!

Hopefully users won't extract the cab then execute the exe, but you never know, we have some determined users that REALLY want to open their attachments.

Keep up the good work
/Chris