Analyzing Ransomware Emails

Discussion in 'malware problems & news' started by Rmus, May 22, 2016.

  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Someone who has my name/email in their address book has been compromised! For several days, I received 2 - 3 emails with attachments daily. It's stopped.

    I think they were from the same address because my first name was capitalized in all cases. Unusual, because I do not capitalize it in my email address.

    Here is the text from several:

    All but two attachments are zipped JS files. They scanned as Ransomware. They contain a URL which is obfuscated thusly:

    Code:
    "htt"+"p:"+"//h"+"on"+"xxx"+"tay"+"s."+"co."+"xx"+"/s"+"aj"+"xxx"+"af"+"a";______zabxxxx = "G\x45"+"T";
    

    Also in the JS files is syntax for wscript.exe:

    Code:
     terms /* _r_cmt */ = "W"+"S"+"c"+"ript";
    The other attachments are MSWord documents with macros. They also scanned as Ransomware. Current MSOffice programs by default do not Auto-run embedded macros, so an extra user step is required for this exploit to be successful.

    I am no longer set up to test malware, but I'm curious as to what type of file the payload is that gets downloaded via the embedded URLs.

    Email servers in organizations can be configured to block attachments with JS files.

    Home users -- well, that is another case. One would think that if file extensions were set to hide (depends on the OS), this would be an easy exploit against the unaware user whose security policies didn't include not opening attachments unverified from the source.

    ----
    rich
     
    Last edited: May 22, 2016
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Hi Rich

    Just reading those E-mails, it's so obvious that anything attached is nasty. The only ones I even open are emails a couple of friends send me to see if they are bad. They usually are. Best defense is what's between the ears.

    Cheers,

    Pete
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Not necessarily. Your e-mail address and name can be had from any number of other sources as evidenced by the number of hacked organizations these days.


    http://www.bndsys.com/SupportDocs/SecurityDocs/HiddenMenace.pdf

    My advice has always been to use an e-mail client and set it to receive all e-mail in text only format - that alone removes the risk of embedded malware links. Also, the e-mail client must be set not to auto open attachments.

    Web mail ............. well using that is akin to playing Russian roulette with 5 bullets loaded in a 6 bullet capacity revolver.

    -EDIT- You also might find this recent posting of mine interesting if you didn't read it yet: https://www.wilderssecurity.com/threads/ransomware-and-recent-variants.384890/page-3#post-2589982
     
    Last edited: May 22, 2016
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  5. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    Nah.

    If you are Soc-engineered, you'll execute a link or attachment from the web or local client; the end game is the same.

    But webmail, say gMail, one never needs to have the attachments even initially egress the network, and furthermore, he has the capability to open said attachment in the cloud.

    Add in baked-in tech like Google's Postini/scanning--you'd have to be pretty daft/unlucky to get malware via email. So AFAIC, webmail like gmail is actually more secure as far as malware goes.

    Re your link: " most of the ransomware attachments came in under 340k while most(99%) of their inbound legitimate business attachments were between 450k-15Mb"

    Your link shows a Cylance post. And you just booted most dank memes people are sent under the premise of killing one class of malware or better yet an indicator that's bypassed by padding the file. And only 99% effective..pffft...what, do you think I'm a farmer?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    It was a reply to a thread topic of 'Cylance vs Symantec.' It also specifically applies to corp. e-mail. Since the person works for a concern that supports 32,000 servers/clients, I don't think he was spreading a bunch of fud on the technique.
     
Loading...