This morning, AppRiver began filtering a malware campaign around 3AM and is still sending malware in bursts. The campaign is similar to ones we had seen yesterday about unpaid invoices.


The message reads with an impatient tone in an attempt get users to urgently open its attachments. Giving users enough detail to think the file is legitimate is what gets users in the grasp of curiosity to open files. The attached .zip contains a single JS file inside.


JS malware is pretty popular these days. We see campaigns in the tens of millions some days, with recent records being set just last month. While obfuscated JavaScript is pretty common, this one stood out from standard ones we see, mainly because inside the unzipped JS file, the contents of the file mostly contain information and history about the antivirus company Avira. The short information is just repeated throughout the file with the text being pulled from the Avira Wikipedia page.


We don’t often see filler text like this within the actual payload itself so this stood out. This filler text pushed the size of the file up from about the 14K it needed to actually be, to around 470K. No doubt this was an attempt to throw of virus scanning while keeping the filler context somewhat relevant in a slightly ironic way. With all of the comments removed, the file goes from about 3000 lines to a little less than 90.


The payload that the JS file executes is the Locky ransomware that’s been popular lately. The payload downloaded (bb1378b7cc4f2a9963c1b9c91b9a2fe5) has a hitrate of 14/57 on VirusTotal while the js file (various hashes) has a hitrate of 2/57.



As of writing this, there have been a little over four million messages quarantined in the campaign.

AppRiver is a channel-centric company and will always remain committed to partner success.


By working around the clock to equip our partners with the solutions and tools they need to protect their customers from sophisticated IT threats, we have increased annual partner growth by 21 percent this past year.  More than 2,800 partners currently trust AppRiver with their email and Web security needs —  and we enjoy earning their business every single day.

AppRiver’s partner channel is also responsible for about 70 percent of new customer acquisition.  In fact, and in 2015, our partner community realized a 21-percent increase in customers.  To help illustrate, five of our largest partners grew their monthly revenue 34 percent, their client count 28 percent and their per client revenue five percent last year alone.

But, don’t just take our word for it.  Here are a few recent industry nods given to AppRiver for our demonstrated loyalty and ongoing support of the IT channel:

  • 2016 SMB TechFest: Best Partner Program
  • 2016 CRN Security 100: Coolest Web and Application Security Vendor
  • 2016 CRN Channel Chief: Justin Gilbert, AppRiver Channel Sales
  • 2016 CRN Partner Program Guide
  • 2016 Stevie® Customer Service Award Winner

As a company rooted in both security and the cloud, we are dedicated to providing partners with the protection and solutions they need in today’s ever-changing threat landscape.  If you’d like to learn more about our partner programs, please visit

Every quarter, we release our Global Security Report, our latest spam and malware findings from the previous quarter. Today we unveiled Q1 2016’s report, which has confirmed that the levels of spam and malware email traffic during Q1 has already surpassed total levels documented during the whole of 2015, totaling at 2.3 billion malicious email messages, with 1.7 billion occurring in March alone.

What is the Global Security Report?


“The malicious Web and email traffic continues to multiply rapidly, and it’s not slowing down anytime soon,” says Troy Gill, manager of security research at AppRiver. “The increase in malicious traffic that we’ve seen over the first quarter, and even last quarter of 2015 can be traced to two factors: the widespread ability to purchase malware on the Dark Web, and its effectiveness due to end users’ reluctance to use antivirus software and perform regular software updates.”


AppRiver confirms that receiving a malicious message is no longer a numbers game, as cybercriminals are also targeting sectors with crafted messages. Jon French, security analyst at AppRiver, says, “We have also seen ransomware attacks move from a simple ‘cast net’ style approach to attacks aimed at certain verticals, with the most prevalent this quarter being the healthcare industry.” French adds, “Malicious macros in Microsoft Word and Excel documents have been a very popular method for delivering the Trojans carrying the payload for ransomware attacks.”


For those who are not falling for the macros method, cybercriminals are also utilizing hidden PowerShell commands in documents to infect machines, as well as obfuscated JavaScript as a vehicle to deliver attack code.


We have also seen an uptick in wire transfer attacks, typically targeting finance departments. Custom communications are spoofed by the attackers to appear as if they come from within an organization, most often impersonating a company’s CEO.


A final trend we have been monitoring is the Distributed Spam Distraction (DSD) technique. Fred Touchette, manager of security research at AppRiver, explains, “DSDs flood an individual’s inbox with spam emails in an attempt to hide critical confirmation emails for purchases or wire transfers made in the victim’s name. With all of the spam in the victim’s inbox, the deed is done before the confirmation email is located, allowing the cybercriminal to make away with fraudulent purchases or wire transfers.”


From a technical standpoint, our security analyst team advises organizations to have layered security systems in place that monitor all network traffic and communications to prevent malware attacks and breaches, including:


  • Antispam and antivirus solutions
  • Routine, mandatory software updates
  • Double authentication
  • Formal security policies


We have included more detail on these attacks and statistics within its Q1 Global Security Report. To read the full report and watch AppRiver’s security analysts’ round table discussion on its findings, visit


We’re celebrating a major customer service award—a Bronze Stevie® Award for the best Customer Service Department of the Year – Computer Hardware, Software and Services category in the tenth annual Stevie Awards for Sales & Customer Service! This is the fourth consecutive year our Phenomenal Care™ team has been recognized for its commitment to excellence in customer service.

The internationally recognized and coveted Stevie Awards honor businesses that excel in service and support. The Stevies are widely known as the world’s leading sales, customer service and contact center awards program.

Since our inception in 2002, AppRiver has built a 93-percent customer retention rate while growing its customer base to more than 47,000 corporate clients (and 10 million mailboxes) around the globe.

“We are thrilled that our Phenomenal Care™ team continues to receive recognition year after year,” said Michael Murdoch, president and CEO of AppRiver. “While we pride ourselves on being able to protect organizations with award-winning IT security solutions, taking care of our customers 24 hours a day, every day, is truly what sets us apart.”


AppRiver co-founders CTO Joel Smith (left) and CEO Michael Murdoch (right).

This dedication to Phenomenal Care has also been validated by two recent customer satisfaction rankings:

  • Microsoft’s Customer Experience Index: AppRiver recently earned an unprecedented 80-point score from Microsoft’s customer experience index, which is the highest score cloud services provider score evaluators have ever measured. Microsoft’s customer experience index grades companies based on their customer service.
  • Net Promoter System’s Net Promoter Score: The company earned a 75.2 on its Net Promoter Score, which predicts future growth based on customer satisfaction. This score is up from 72.1 in 2009, a clear indicator that customer care standards have remained high even as the company has grown at a rapid pace.

“In a world of off-shore call centers, detached IT Help and increasingly complicated solutions, AppRiver has given tech a name, a face, a personal touch – qualities that are increasingly rare in the Digital Age,” explains James Wirth, director of support at AppRiver.

James Wirth

James Wirth, director of support at AppRiver

We continually aim to create a positive customer experience from first contact to post-op support.  When customers contact our Phenomenal Care team, they know that the person who helps them is an AppRiver employee who is fully trained on the latest services, trends and technologies. That’s because these IT pros have been empowered to properly address customer concerns and quickly escalate more complex issues. Another advantage is that all employees have access to AppRiver University, the company’s first-class training and development program.

Other distinguishing features of AppRiver’s Phenomenal Care include:

  • Dedicated Service 24/7. US-based telephone and email support is available around the clock.  Service calls are not timed, and AppRiver will stay with the customer for as long as it takes to ensure that customer’s satisfaction, in some cases even solving non-AppRiver-related issues for them.
  • Free 30-Day Trial with No Cancellation Penalty. All services come with a 30-day free trial.  Customers are free to cancel at any time without worrying about cancellation fees or legacy costs.

To read the full press release, please visit:

Customization in malware infection is a trend we have been seeing for years now but never has it been more prominent than as of late. From customized Spearphishing attacks to CEO fraud and BEC’s, today’s threat landscape is more fraught with pitfalls than ever before. Over the past few weeks we have been seeing an increase in customized and targeted malware attacks sent via email. Most of the recent attacks rely on malicious Microsoft Word Documents with embedded Macros. While the malicious macro approach has been quite popular lately we are now seeing the attackers go the extra mile with customization in the message and filename.

The messages pose as actual invoices from a legitimate accounting service called FreshBooks. Each email displays the name of the company that is being targeted, throughout the subject and message body. Also, each message contains a customized .doc attachment, complete with embedded Trojan, which uses the target companies name as well.

As you can see in the email below that the name of the target company is utilized throughout the message as well at the filename. (We have redacted the actual recipient company name and replaced it with “Target Company” and highlighted)


We have also seen evidence that the cyber-criminals responsible for sending these messages have made an effort to send these messages to the email addresses of actual key finance personnel. Naturally these messages will raise less red flags than the ordinary generic ‘fake invoice’ messages that we see day in and day out since having been littered with your own company name gives them the appearance of being legitimate. Of course, we have this campaign blocked with our own proprietary virus filtering software but it is currently still only being identified by 2 of 56 AV engines (according to virustotal). Finance departments everywhere should take notice at the recent trends and make sure they are up to date with awareness training. Network administrators may also want to consider disabling the use of Macro’s across their entire organization unless they are being relied upon for operations, this should be fairly easy to do with something like group policy.