Malware Outbreak – December 3, 2014 – UPDATED

Overview

A serious malware outbreak that impacts file shares and computer systems has been detected. It originates from suspicious emails, links, and PDFs. Once a system is infected, PDF files stored locally and on the network are converted to EXE files and unprotected users that open these files will have their systems infected.

For general overview of this virus, please visit http://it.ubc.ca/malware-outbreak.

Protection

As of December 1, 2014, the latest virus definitions from both Sophos and Trend Micro are detecting the trojan and quarantining compromised files. The current strain has been identified as:

  1. Sophos: Troj/Agent-AKJF
  2. Trend Micro: TSPY_URSNIF.YNV
    Note: there’s currently no entry for this in Trend Micro’s Threat Encyclopedia
  3. Payload
    • Sophos: Mal/Generic-S

Affected Services and Departments

  • The infection has been isolated to one group at UBC and their service is being restored as quickly as possible.
  • TeamShare, Workspace and Home Drive file shares are being scanned for the malware, which may affect the performance of these services.

What to do

  • Technical staff: ensure that anti-virus definitions are up-to-date. If the product being used is other than Sophos or Trend Micro, please check that the vendor has a definition that provides protection against this strain of the malware. Please do not hesitate to contact security@ubc.ca if you require assistance.
  • Users: install the latest antivirus updates. Do not open any suspicious emails, links, and PDFs.

Infected?

Contact your Departmental IT support staff for assistance or report the issue to the IT Service Centre at www.it.ubc.ca/helpdesk or 604.822.2008.

Detailed Description of the Malware and its Behaviour

When the malware is executed, it drops the sppc.exe into %APPDATA%SoftwareProtectionPlatform and also %WINDIR%System32:

Filename: sppc.exe
MD5 Hash: 4ff2c4f8a507912513949980b6a965b8
SHA1 Hash: 5af84c5881adb0aa9ddc565e5f9664fd0f934931
File Size: 164864 Bytes
File type: PE32 executable (GUI) Intel 80386, for MS Windows
VT Detection Ratio: 18 / 56
VT Analysis Date: 2014-11-27 16:32:26
VT Permalink: https://www.virustotal.com/file/45aa81ff73de5b97ea75e7ba30f73fa25cd3c49c1bce561a90d54b9e20c4b564/analysis/1417105946/

RQ231664 Zeiss.exe also drops a realistic decoy document “~<random #s>.tmp.pdf”:

Filename: ~11.tmp.pdf
MD5 Hash: 72e1e20c297c74d6e8021c45f2ba5f10
SHA1 Hash: da8f1f54a281b98239596a027ffbcbe667cfbc0f
File Size: 581994 Bytes
File type: PDF document, version 1.6
VT No virustotal report found.

This decoy document is a PDF. The date of the PDF is 05/25/2010 which makes it over 4 years old.
The dropped sppc.exe file is also executed. It creates a temporary file (later deleted) in %TEMP%:

Filename: ~14F.tmp
MD5 Hash: 527dee9a51e30c9243dd64f6b5ec3dd2
SHA1 Hash: d3601cdbdf7976c30219a110cbf6c8e9ad25e342
File Size: 6144 Bytes
File type: PE32 executable (GUI) Intel 80386, for MS Windows
VT Detection Ratio: 28 / 56
VT Analysis Date: 2014-11-26 16:17:26
VT Permalink: https://www.virustotal.com/file/fab5d2b187ca96469b57b5fa2062d3bc1574163a125fea6abd35e30116f915be/analysis/1417018646/

This executable is responsible for the blockquote injection and is deleted after the injection is successful.
Some of the injected blockquote identifying information theft:

cmd /C “systeminfo.exe > %s”
cmd /C “tasklist.exe /SVC >> %s”
cmd /C “driverquery.exe >> %s”

The malware will also set persistence using the following registry key:

RegKey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random key>
Value: %APPDATA%SoftwareProtectionPlatformsppc.exe

The malware will attempt to communicate with Command and Control (C2) domains such as the following (the full list contains approx. 140 domains, named similarly to the examples below):

uxitijih[.]com
wznxqzqjis[.]net
whuzujat[.]org

The network communications use a familiar URI pattern: GET /pki/mscorp/crl/msitwww2.crl and also a familiar user-agent: Microsoft-CryptoAPI/6.3

Indications:
File Indicators: (Post Infection)
File Indicator(s):

Filename: sppc.exe
MD5 Hash: 4ff2c4f8a507912513949980b6a965b8

Filename: ~14F.tmp
MD5 Hash: 527dee9a51e30c9243dd64f6b5ec3dd2

Registry Indicator(s):

RegKey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun<random key>
Value: %APPDATA%SoftwareProtectionPlatformsppc.exe

Domain Indicators:
There are numerous C2 Servers which communication may be started with. UBC IT is blocking the domains.

For questions or concerns, please contact the IT Service Centre at www.it.ubc.ca/helpdesk or 604.822.2008