The dreaded Monday. While workers are guzzling coffee to get ready for the work week, cybercriminals are ramping up to take advantage of the Monday Blues. Cybercriminals use this opportunity to flood the Internet with massive amounts of spam, phishing and malware emails in hopes of tricking unsuspecting users. This past Monday was no exception and fostered in a huge CIBC (Canadian Imperial Bank of Commerce) phishing campaign.

CIBC-Banking Scam

As you can tell from the screenshot above, the email is very crude in structure and straight to the point. Our team saw over 100 live samples of this campaign, giving us a hint of how big the push was. There was little variation between the different samples that we saw. The body remained static while the sender’s address, source IP and the URLs varied. The links contained within the emails followed a similar structure by visually appearing to be that of an official CIBC URL. For instance, the term “HTTPS” was injected into the fake domain name itself to fool the user into thinking the link utilizes a secure HTTPS connection when in fact it is does not. The suffix of the URLs are also tagged with each recipient’s email address.

At the time of this writing, the Web links are no longer available and the sites have been taken down. On average, most phishing campaigns are only active for 24-72 hours, so the spammers can avoid being tracked by law enforcement agencies. It’s also possible that the sites were taken down by an outside entity. Our team has coded several AppRiver SecureTide rules to block these emails, which have blocked over 27,000 messages so far.

Virus traffic has been huge so far in 2016. Mostly, this has been thanks to ransomware, and in particular, Locky distributed by the Necurs botnet. We’ve been seeing malware traffic counts in the tens of millions daily here for sometime now. This, of course, has its ups and downs, but for the past three weeks it’s been almost entirely downs. The past three weeks have been ranging from around 3-10 million malicious attachments a day which has been a significant decrease in the previous months’ traffic. However, around noon today, we noticed a sharp increase in virus traffic once again.

virus traffic jump 2016

In a few hours since steady malware started coming in, we’re at a little over 80 million for the day so far. This is likely related to what other organizations have been seeing in regards to the Necurs botnet essentially going offline around June 1st. Necurs has been blamed for the huge volumes in Locky and Dridex related malware this year. The botnet wasn’t taken down earlier this month, but randomly stopped performing its nefarious control of infected computers. With the Locky campaigns today being very similar to what we’ve seen before, it looks like Necurs is coming back and ramping up. Whether or not this is a temporary spike or a return to pre-June 1 “normalcy” is too early to tell.

necurs locky example eml

As for the campaign itself, there are multiple different .js files coming in with most just being slight variations in format. The few I checked on VirusTotal had a 2/54 hit for them, so not many AV providers are catching the file itself (though they may trigger upon execution or other actions the malware takes). So far, the malware traffic accounting for this spike has been handled by rules added anywhere from one-three months ago. Some of these matches were because the .js malware is so similar to previous campaigns, and other rules added a few months ago are just now hitting today. Trying to stay ahead of malware and planning for future variations pays off where sometimes entire campaigns can be stopped at the first message in situations like this. But as always, while we’re keeping a close eye on the traffic and monitoring for any new variations or changes, our SecureTide customers remain protected.

6D91714AAEYou have a package that’s trying to be deliver itself to you, but it’s not shipping via FedEx. The latest version from the malware family known as “Fareit” is circulating via email and posing as a FedEx shipment notification. The messages appear to contain a shipping receipt for a package that the courier was unable to deliver. The attached file, while it does have .PDF in the name, is actually a file archive utilizing the open source file archiver 7zip. Inside the compressed archive, you will find an executable file (.exe) that contains the Fareit malware.

The Fareit malware family has been circulating for a few years now. It is an information stealer that targets FTP credentials, email passwords and browser stored passwords. During our dynamic analysis, we observed all of the above being performed after the malware disabled local security tools. After scrapping the machine for the before mentioned credentials, it established an outbound connection and pulled down a copy of the ever-popular Zeus Trojan. Once the Zeus infection is in place, the attacker can gather more credentials such as banking information. In addition to having their data stolen, the victim’s machine is also vulnerable to being used to perpetuate more attacks or in future DDoS attacks.

fedx malware

7zip

With ransomware attacks garnering all of the attention lately, it’s easy to forget that information stealing malware like this can be equally or in many cases– far more damaging. The impact from suffering a ransomware attack and finding all of your files have been encrypted will depend greatly on the importance of those files and how well they have been backed up. On the other hand, being unknowingly infected with Fareit/Zeus can lead to the theft of your sensitive credentials– which leads to further data theft, credit fraud and even identity theft.  Of course comparing the two can seem a little like comparing a punch-in-the-stomach to a finger-in-the-eye… in other words, they both leave you feeling violated but each in their own unique way. The best way to avoid being victimized by these attacks is to avoid being exposed to them in the first place. As usual, all of our SecureTide customers are currently protected from this threat.

Malicious macros are nothing new these days. They’ve been around for years and will likely be staying for years to come. Macros themselves aren’t the enemy though, and in fact can be a very powerful tool to help users automate complex tasks within a document. However, malware authors use the macro power for evil by creating bits of code that can download and execute malicious files when the documents are run on a victims machine. Macros are disabled by default in Office products these days, but unfortunately users still get a pop up asking them if they want to run the macro. Since most users don’t know what this means and the document often says they need to run the macro to see the actual content, people end up clicking enable and it goes downhill from there.

enable macro screenshot

Clicking “Enable Content” will run the malicious macro and download malware to the machine.

 

But macros aren’t the only threat when it comes to malicious document attacks. Office documents also support Object Linking and Embedding (OLE for short). Microsoft recently published a blog about OLE malware as well. While OLE’s aren’t new either, they are being used for malicious purposes as well. Many times they are formatted similar to the Macro documents saying you need to click something to see the content, but you don’t get the macro warning banner when opening the file. As with macros, this is supported both in Excel and Word as well.

 

OLE support is in both Excel and Word.

OLE support is in both Excel and Word.

 

The benefit for an attacker using OLE’s is that the payload is contained as an OLE object inside the document itself. While with most macro malware, the macro reaches out to a server on the internet, downloads the payload, and then executes it. So OLE malware is an all in one package for delivery. They can set the object to execute or run whatever file they please as well (exe, vbs, js, etc).

Extracting the contents of the document shows the executable inside the OLE object.

Extracting the contents of the document shows the executable inside the OLE object.

 

Many AV engines as well as our filters are capable of detecting these types of threats and blocking them. But as with all other types of malware, the authors are constantly trying to find ways to bypass any sort of filtering or detection solutions. Macro and OLE malware, especially in the world of business, is dangerous since handling documents is a normal day-to-day task for most people. A user being given the power to run a malicious macro or open a bad OLE is a default permission on the Windows machine. After all, these Office features do have their good uses. Fortunately if you wish to just block these outright on the machines and not even give users a choice of running them, it can be done with registry edits and group policies. These days it may be worth IT departments to look in to enforcing these blocks. With document malware like this being likely to stay around, disabling these mostly unused features just adds another layer of security.

 

 

This week, AppRiver’s security research team began to see an Outlook Web App phishing campaign with more than 2200 attempted attacks at the time of this post. The campaign operates under the guise of an Outlook Web App mailbox upgrade notification, in an attempt to trick the recipient that the IT admin of his or her will be upgrading the email system to “Microsoft Outlook Webaccess 2015” (which by the way, does not exist) and requires him or her to click on the provided Web link to begin the upgrade process.

OWA scam1

 

The sample shown in the screenshot above displays a graphic that the spammers manipulated to resemble the Microsoft Exchange 2010 Outlook Web App interface and imposed the upgrade notification message within it. Our security research team combed through several samples of the spam campaign and noted that while there is a common URL within each email, there are also various domain names. Clicking on the “Click Here” link prompts the user to enter his or her login credentials to begin the “update.”

OWA scam

Going back to the email itself, the spammers inserted into the body a message that states another image cannot be loaded and attempts to have the user click on the provided link to view it in a Web browser. This was a clever ruse by the spammers as the link itself redirects to the fake login page. After entering fake credentials, the webpage redirects to the official Microsoft Office 365 website while the now stolen credentials are submitted directly to the spammers. AppRiver’s Message Sniffer is continuing to filter these messages and our team will continue to monitor this campaign.