There was another Nurech spammed today. The gang behind it has been masquerading as various German organizations when spamming out their malware, including GEZ, the German division of Ikea, and quelle.de.
Today we saw a run of mails claiming to be from a dating site named Singel.de:
The mails contained a ZIP attachment, with a file named Singel.de.pdf.exe inside.
When decoding this file, we saw that it attempts to download several more files:
Turns out, most of these URLs will not resolve and were probably put in there just to throw us off. However, the link ending with "tss0.txt" does work, giving out two lines of text:
Now, this looks like a URL encoded with a 8-bit constant, doesn't it?
And in fact, it's encrypted by running XOR 0x02 on each byte. An easy way to decrypt something like this is to use the Edit feature in HIEW hex editor.
And with this we get to the encrypted content, which is a link to yet another piece of malware:
We're in the process of shutting down the offending site. Also, we detect the dropped samples as Trojan-Downloader:W32/Nurech.BB and the downloaded sample as Trojan.Win32.Agent.aeq.