Abcam is a company that produces and distributes research-grade antibodies and associated products. A seemingly unlikely target company to spoof for a malware campaign, but it’s been done now. We see fake emails about court dates, jury summons, missing packages, etc all the time. One thing many of them do is use hosted images on other peoples websites or even the actual business they are spoofing. This allows the malware authors to send out nice html formatted email with pictures hosted using some other persons bandwidth.


In this case, Abcam found out they were the chosen victim company in this case and the emails were using the blue banner hosted on their website. Well when you hot link an image (or really anything) the owner of the site it’s hosted on still retains control of what that actually links to. Below is what was being sent out to people with a malicious XLS file attached.


Abcam did make a post about this, but I noticed when I went to go look at some samples we were seeing here (being caught by a virus rule from earlier in the year) that they had changed their banner to try and give a heads up to users receiving the spoofed messages.

Screenshot - 11242015 - 11:44:56 AM


I like this idea and believe it’s a pretty good move on a companies part to try and give people a heads up the email should not be trusted. With the image loading being live, it means that even if someone received the message hours ago it will still show the new banner warning them when they go to view the message. Though the spoofed messages are in no part the victim companies fault, it’s still a nice step to being proactive for people using their name for malicious reasons.

We have a large malware campaign going on at the moment claiming to be messages from the Federal Reserve saying restrictions are going in place on federal Wire and ACH online transactions. It hopefully strikes most people that it would be pretty out of place to receive an email from the Federal Reserve. However there may be cases where a company that does a lot of federal business may find something like this within the norm.

email fed reserv ss


Furthermore since it’s a malware campaign involving macro xls files, a user might be more inclined to open the file rather than something like an exe. As with a lot of macro enabled malware documents, there is an image upon opening telling the user how to enable macros. This is because macros in Office programs are disable by default.

enable macros federal reservOnce enabling the macros and running it, it acts as a trojan downloader and downloads an exe with a jpg extension. This is likely an attempt to mask the traffic either from a system looking at strictly extensions or by an admin trying to look at any network logs.

jpg exe download

This exe is the actual payload. The first thing to notice this does is steal information and POST it to a remote server. Normally when we see this, it’s done in an encoded way, but in this case it’s all sent labeled and in plain text.

post federal reserv

It does some other things like adding itself to the startup, using password protected files, and listens on port 5650. Looking at some strings and command options it passes in the file, it looks like it’s doing some of the installation using a free installer called Inno Setup. And looking at an xml file it drops, it looks like it’s using a remote connection tool and saves it’s setting in base64 in the xml file. The tool appears to be one from Remote Utilities, given researching some strings in the config, but it’s possible it may be something else. I also see it uses some windows batch files and vbs files. It only has 5 hits on VirusTotal, but only Malwarebytes classifies the file as a remote administration type (RiskWare.RemoteAdmin.RMNS). I’m inclined to think that’s pretty correct.


As for volume, we did see these coming in at large numbers. They matched a virus rule we had in place since March this year, but there are two sides to the volume scale here. On one hand, the actual intact macro files hit a little over 6 million hits so far. That’s a decently sized campaign as of late. Howver, the other side is that the malware authors messed up some of the files. Instead of the normal xls files with the macros, some were sent out with the base64 in the raw content of the xls file. Which means they came across as being broken and unable to be opened. This count reached about 1.5 million messages. Fortunately though since the rule they matched was an older one, we were able to contain the malware campaign right from the start. But to leave you with some advice, it’s always a good idea to leave macros disabled by default in Office programs. Yes some people may use them legitimately, but even they should leave them disabled by default. Letting them run upon opening a file is just too risky.

We don’t like to brag, but being recognized by Microsoft is kind of a big deal, especially when the recognition comes for our growing channel. That’s why we were delighted to have won the Best Run Rate Performance award at Microsoft’s 2015 Cloud Service Provider Summit.  But we know that this would not have been possible without two very important factors: our partners and our Phenomenal Care™ Team.


As a Microsoft Gold Certified Partner, we are committed to providing the best training resources available to our partners and employees so that they can become as phenomenal as they can be.  Today, one in ten AppRiver employees (“Appers”) hold a Microsoft certification in their respective fields- one of whom was even named a two-time (2015, 2014) Microsoft MVP award winner for Office 365!  Additionally, in the past 12 months, AppRiver partners have seen a 25-percent uptick in certifications in Office 365 Plus from our exclusive online training resource, AppRiver University, and a 59-percent increase in readiness to sell Office 365.

As we prepare ourselves for another great year with our partners, we look forward to providing our teams with Microsoft resources that’ll help make them as successful as possible.

Phishing campaigns come in many different shapes and sizes. Some are obvious and indiscriminate, luring only the most dubious of victims (like that long-lost uncle who just needs your routing number to give you $100,000). Other are more poised and targeted, only interested in targeting those with big bank accounts or key holders to confidential company documents. Below, we’ve answered some common questions about phishing, how to identify it, and how to prevent it.


What are the most common phishing schemes?

There is no “one” phishing scheme, but all phishers try to make either themselves, their emails, or their malicious websites look as legitimate as possible. That long-lost uncle we talked about earlier? He doesn’t sound so legitimate; unless you have incredibly good luck, and even then you’d think your uncle would want to meet you first. Others are much more sophisticated, downloading company logos and using their color scheme/images in their emails. The point is, they all want to convince someone that they are someone or some entity that that person should entrust their private information with.

What are the different types of phishing?

  • Spear phishing: This type of phishing targets specific individuals, companies, and organizations to gather personal information. It is a fairly successful method, as it accounts for more than 90 percent of attacks. Spear phishing is still very broad as every hacker is going to have a different audience they are after than the next hacker. However, just because they are broad does not mean that they are not convincing. We’ve seen phishing campaigns take users to websites that are complete with a link to report phishing attempts.
  • Clone phishing: This one is sneaky. Clone phishers replace legitimate, previously delivered email content with malicious content and attachments. They often get away with it by claiming that they are sending an updated version of the previous email. It’s not uncommon for hackers to get access to the previous legitimate email via malware that has already been downloaded.
  • Whaling: Just what it sounds like, whaling is when phishers are after the “big phish.” Common examples include a subpoena being delivered to a CFO for fraud, or a customer compliant to the director of customer service.

What should I be wary of?

Grammatical errors should always be cause for pause. While copywriters and editors may make the occasional typo in their emails (and much to their humiliation when customers start emailing their typos in), companies that phishers try to imitate, like Amazon and MasterCard, can afford to hire good spellers.

Emails that are formatted differently than they normally are also warning signs. It’s one thing for a website or logo to get a facelift. It’s quite another for a company that would normally have purchase information in the body of the email to put it in .zip attachment. And can you remember making that purchase to begin with? Additionally, your credit card company knows your full account number, complete with the exact spelling of your name as it appears on the card, the security code, the billing address, and expiration date. That’s why for authentication, they would never ask you for all of that information. Depending on the scope, they typically would ask for one-two pieces of identifiable information and a security question for verification. And when in doubt, you can always call the company in question and speak to a representative. He or she will be able to tell you if it’s a legitimate email or not.

Is there anything else I can do to prevent a phishing attempt?

Yes! While it’s great to familiarize yourself with the latest trends in IT security, the easiest way to prevent a phishing attempt on your network is to adopt a layered security approach. Although there is no “silver bullet” to prevent malware attempts, like phishing, a combination of email filtering and Web protection solutions can work together to block malware from gaining access to your network. Email spam and virus filtering is an excellent start to keep malware from being delivered email, but what about when surf the Web? Together, they keep your network safe, so you can focus on more important tasks.


“Don’t fix it if it isn’t broken.” We’ve all at least heard, if not used the phrase. But while this might aptly apply to costly and unnecessary home renovations, it doesn’t really work with IT security. The simple reason being if you don’t preemptively fix it, it will become broken. Specifically, we are talking about software patches and the inevitable end of life for your operating system.


Those software updates you keep clicking “later” on? They often deliver a payload of security patches or remedies to bugs. The longer you go without updating your system, the more gateways you’re giving hackers to infiltrate your device and steal your information. In 2014, 44 percent of data breaches were due to unpatched code that was two to four years old according to HP’s Cyber Risk Report.

And data breaches are just restricted to businesses anymore.  With the Tesla “hack” earlier this year, the two “hackers” (ahem, researchers) discovered that the car had the potential to be hacked remotely because the car’s infotainment system was using a geriatric Web browser that contained a security vulnerability. That brings us to our next point: don’t use out-of-date/unsupported software. Once a solution has been doomed for its “end of life,” the makers of that solution will stop creating software updates that include security patches very shortly. While you may not be able to control which Web browser your smart car uses, you can control the ones you use at work or at home.

Ultimately, out of date IT security can lead to a malware infection, including Keylogger, ransomware, and other nasty viruses. It is much easier to prevent malware than to undo its damage, particularly with the case of ransomware where your only option to get your files back is to pay the hacker (this money also is frequently used to directly support terrorist activities). So the next time the maker of your browser or operating system sends you an update or end of life notification, don’t click “later.” Go ahead and update your system, or in the case of a solution that is going to reach its end of life, start researching alternatives.