Over the past week we have been monitoring (and blocking) a stream of malicious emails attempting to pose as legitimate Amazon purchase confirmations. The messages simply state that your order has been confirmed and contains a small amount of details. The user being target is directed to the attached .doc file for the shipping and tracking details.

amazon malware

In order for the .doc (MD5sum=998692c0e93d4821c069aa96ddff800c) to actually infect the user’s machine they must have Macro’s enabled for MS Word. Thankfully for most users, Macros are disabled by default in current versions. However, for those who already have it enabled or chose to follow the prompt and enable them an infection will occur. The malware contained in these messages is identified as part of the Fareit malware family. This family of malware is often distributed via Word documents with malicious macros embedded and has been known to drop multiple malware variants on the target machine.

In this particular case the malware quickly goes to work attempting to steal your Outlook password along with website passwords from various browsers such as Firefox, IE, Chrome and Opera. It then attempts to harvest account credentials for a lengthy list of FTP and multiple file storage programs. In addition it begins pilfering the target machine for just about every type of Crypto currency in existence. Including:

callout3This behavior (stealing Crypto currency) is something we have been seeing with more frequency as of late. The anonymous nature and lack of regulation in the Crypto Currency market make it more akin to stealing actual cash than to committing wire fraud by raiding someones online bank accounts. But in this case the cybercriminals are  o.k. with that too… The last observed behavior was to drop a copy of the Zeus Trojan to be used to capture and steal bank related information.

Recently, we learned of a federal data breach involving the personal records of around four million current and former government employees. While information about the scope of the attack is still developing, we do know that US investigators are saying that it could affect nearly every government agency and is likely the largest federal government data breach to date. US investigators believe they can trace the attack to the Chinese government, claims that Beijing has called baseless.

In regards to cybersecurity, relations between the US and China haven’t been the best in the past. Each side has pointed fingers in cyberattacks before, with the US saying not too long ago the Chinese government may have stolen terabytes worth of data about a new jet fighter being developed. This latest attack further enforces the idea that nations are moving towards cyber warfare with each other. These sorts of attacks are becoming more and more common in the news, and we’re now seeing nations forming cybersecurity divisions devoted to protecting national security as well as have offensive abilities.

With over four million records stolen of government employees in this breach, a question that comes up is “what will they do with all of that data?” US officials believe China is trying to compile a large database of Americans’ sensitive data, but they are unsure of the purpose of that database. While they may just take the stolen data and save it, it’s possible there could be other ideas in store for it, such as fraud and impersonation. The data could be sold to other governments that may want it for their own use for attacks, or they could even use the information gained to have further successful attacks in the future.

This is also a grim reminder that anyone with sensitive data needs to stay on top of security. Whether you are a small business or a national government, there is always someone out there that wants to get a hold of your data. It was mentioned this breach of data occurred right before the adoption of tougher security controls.  In this instance, they were unfortunately too late, but this is a good reason to show why putting off updates and security upgrades can be a bad idea. If there is a soft spot in security somewhere, it’s just a matter of time before an attacker may find it and exploit it.

ppl_logo_smallEarly this morning, right around the start of the business day over here in the states, we began seeing a malware campaign hitting our filters that masqueraded as UK music licensing firm PPL. Even though it looks like this was a cast net style attack where both US domains and British domains were targeted, the time of day this was launched certainly was centered around US targets starting their workday.

The email states that the recipient needs to pay licensing fees associated with playing recorded music at their premises. This is usually reserved for bars with jukeboxes or other businesses such as restaurants that play music for their guests or show television programs with copyrighted material. However, these emails weren’t only sent to businesses that this would apply to, they were sent to a huge swatch of possible victims regardless of their services provided. The information provided in the email is well presented with links that actually lead to the PPL site and the corresponding information for them is also correct. The danger here lies in the attachment that is supposed to be an invoice for the incurred fees. It is a Word document by the name of “P_PP_INVN_02573466_01-43-52_03657322_NEWBUS_O_E.DOC”, not the most eloquent of naming conventions, but likely busy on purpose to add to the confusion. This Word file, as has been popular as of late, contains a malicious macro that reaches out to the domain g6000424.ferozo.com in order to pull down more malicious files onto the victim machine. Furthermore, these files reach out to the IP which belongs to a company in Thailand by the name of Internet Thailand Company Limited, which appears to be a cloud service provider. One of the files downloaded named “10.exe” belongs to the Dridex family of banking trojans which are commonly found in these malicious macro style attacks. Dridex relies on these Word documents and associated macros to steal online banking credentials.


End of life (EOL) is approaching. July 14, 2015 is an important date to note if your organization is still running Microsoft Windows Server 2003. After this date, extended support will end and Microsoft will no longer deliver critical security patches or updates. Being slated by some as one of the “biggest security risks of 2015,” there are major threats to your organization if migration is forgone or delayed past this deadline. This official alert from the US Department of Homeland Security warns of the possible consequences facing those who do not take action, including cybersecurity threats, as well as compliance and compatibility issues.

Plan ahead! Doing a migration after a server has failed will not only increase server maintenance costs, but will also put your data at risk and result in lost productivity. By moving to the cloud, you can reduce your costs and grow your business. AppRiver has solutions for you in both our Secure Hosted Exchange and Office 365 services. There are a few initial steps that our team can help you complete and depending on which platform you’re coming from, we can easily migrate your email messages, folders, calendars, contacts and notes. We understand that migrating your email and services can be a stressful transition, but our 24/7 Phenomenal Care™ team will be with you every step of the way, eliminating the guess work and helping you transition with confidence.

This morning we had a malware campaign with zipped svg files attached in the messages. SVG files are normally used for images and supports some interactive features. An example would be maybe something like a graph on a webpage that showed some info when hovering over an option. These SVG files however contained a small javascript entry that would open a webpage to download some malware.

Screenshot from 2015-05-20 10:44:31Screenshot from 2015-05-20 09:45:21

The IP link in question ends up forwarding to another domain where a zip is downloaded of the actual exe payload. It didn’t auto execute, user interaction would still be needed for that. The payload this time around is Cryptowall. When the file executes it creates HELP_DECRYPT.TXT, HELP_DECRYPT.PNG, HELP_DECRYPT.HTML, and HELP_DECRYPT.URL files that have all been associated with Cryptowall infections. Searching any of those file names online brings many write ups on the virus family. It also created a public RSA key and entered it in to the registry (the key used with encrypting the files). After giving it just a few minutes, indeed the popup about Cryptowall 3.0 popped up with steps to pay. Crypto ransomware has proven many times it is effective for attackers in getting users to actually pay the ransom. The tactic is still alive and likely to continue evolving. With the attacks still being prevalent, it’s a good idea to make sure you are covered with data backups that cannot be potentially accessed by the malware (it’s been known to encrypt network shares and NAS units).


The original notification pop up on the PC

Screenshot from 2015-05-21 13:56:36 (copy)

The website on Tor showing how to pay the $700 to decrypt files.



And the interesting bit of info I noticed while looking at the exe that was downloaded, was that it had sql commands hard coded in it. Looking closer they all seemed related to a potential schools sql database. Some of the recipients we stopped this malware for were schools but nothing seemed out of the ordinary with the volume of recipients, which was low volume in general. While it’s possible the malware had other intentions from encrypting in mind, like to wreak havoc in a sql database, this was from a strings output so it was all plain text and the table naming conventions just seem a little too plain as well. However, someone knowing sql table names or a school using a plain naming convention could be problematic if the malware were to attempt to attain access and do its thing. It’s certainly also a tactic for malware authors to add in code that isn’t used or code that fluffs up functions to distract from analysis and make analyzing more complex and time consuming. So that’s a possibility. While these appeared to be part of valid functions, it looks like they were not used during testing. Though it’s possible there were very specific parameters that needed to be met for this to go active and attempt sql changes.

Screenshot from 2015-05-20 10:09:43

Also, there was some ASCII art in the strings output. I had originally posted this upside down but after flipping it, it appears to be an animal holding a heart.

Screenshot from 2015-05-20 15:24:04