Using current news events in spam and malware campaigns is nothing new. In fact we see it with most major tragedies or events. This time around the topic is the Ebola virus. We’ve been seeing both spam and virus campaigns using Ebola as a topic to get the readers attention, with one malware campaign even claiming to be from the World Health Organization. With this one claiming to have information on how to stay safe about diseases around “that you know nothing about”.

ebola malware sample

 

Most of the spam coming in seems to be using Ebola as a click bait in the message, rather than focusing the spam specifically on Ebola. Messages coming in with subjects claiming to have breaking news on Ebola or others claiming they have cures. Some even trying to sell Ebola survival guides. Using a popular news topic in spam is a common tactic since people are more likely to have heard about the messages alleged content. Usually with the message being formatted in such a way that it is going to provide you with information you may not know yet. Sometimes even looking like legitimate news agency emails. From there it makes it easier to deliver a payload or to try and get a user to click on some link in a message to take them elsewhere. In the recent campaigns, most of the spam with links in them take you to websites that don’t even mention Ebola. They are just using it’s popularity in the email message to get users to click on links and get their attention for products they are trying to get you to buy.

ebola samples of spams

 

Due to Ebola’s popularity at the moment, it can make it harder for a user to determine if a message is actually spam or if maybe it is something they are interested in like legitimate news. This is when it’s best to remember some good practices of safe email use.

  • Check who the message is coming from – This can show sometimes if a message is coming from an account you don’t recognize. This may not always be a reliable tactic since a From address can be spoofed, but it can make it easier to weed out the obvious fake emails.
  • Look where a link may take you - In almost every mail program, you can hover your mouse over a link and see where it’s taking you. Often you can see right away if a link looks legitimate or not. If you get an email from an American news agency about a miracle Ebola cure but it’s leading you to a a foreign website or a website you’ve never heard of, it’s probably safe to not click the link.
  • Always be wary of attachments – This goes for pretty much any attachment. Some of the commonly abused file types are .exe, .scr, .com, and .pif for malware. There are many other attack vectors in programs for malware to use as well though. So if you get attachments from unknown senders at all, it’s best to take as much caution as you can such as scanning the file with web tools or you local antivirus. A side note to add is to also be aware of double extensions. By default in Windows OS, a known file extension is not shown. Sometimes malware authors will create and zip a virus such as “Invoice.pdf.exe”. When saved and extracted to a computer, most users will just see “Invoice.pdf” making it look legitimate.

 

Keeping a close eye on the email content you look at can save you from falling in to a phishing scam or installing a virus. But using email filtering and keeping antivirus up to date is equally important in protecting users and should shield most users from these types of spam and attacks.

This morning we had a particularly large virus campaign come in. The messages were claiming to be from payment@bill.com about an unprocessed payment. Attached to the message was a zipped piece of malware.

Sample Message

Sample Message

 

Over the past month we’ve been seeing around 1.5 to 2.5 million virus messages through out the entire day. This morning though, over the course of about 3 hours we have seen 6.2 million from a single virus campaign. There were a few other campaigns numbering in the tens of thousands during that time but the fake bill.com malware certainly dwarfed any others. For this campaign, though it was large in volume and numbers across all servers here, the malware attached was matching a virus rule that had previously been in place on our system. That rule having the same 6.2 million matches this morning. Running a sample of the virus in virustotal.com shows only 16 of 54 antivirus companies are blocking this particular executable.

All ur base...It took less than one day after the news was publically released about a major flaw in the bash command line interpreter before a botnet leveraging this flaw, referred to as ShellShock, has been spotted in the wild. This vulnerability is being compared to Heartbleed, the OpenSSL flaw that made headlines earlier this year, in terms of severity. Unfortunately researchers agree that this actually has the potential to eclipse Heartbleed in that arena. The reason being is that where Heartbleed was able to easily steal data from unsuspecting victims, this new bash vulnerability allows an attacker to actually gain access and control of its victim’s machines. Another concerning factor of this new exploit is its potential targets. Bash runs in both Linux and Mac’s OS X operating systems, a rarely targeted group which may be caught with their guard down. Every Mac we have tested this on so far has been vulnerable to this exploit, where we achieved varying results with Linux environments due to particular Linux flavors and bash versions that were installed. Bash is the most widely used shell on Linux based systems and is also the default shell in Mac OS X Panther which is (version 10.3) and later. This vulnerability is present in every bash version up to 4.3, which is potentially a large swatch of users. It is being stated however that the likely prime target of these new attacks will be Apache web servers that use standard CGI implementation.

The botnet, known as Wopbot, has already gone to work. It has been busy running distributed denial of service attacks against Akamai and other targets over night. It has also been scanning the entire IP address space of the US Department of Defense apparently searching for open Telnet ports which commonly would be brute forced in order to gain access. This is quick work by cyber attackers which is exactly what those at risk do not want with such a publically available flaw. Currently the Linux community is rushing to create and push out patches for ShellShock while others are arguing whether or not to simply remove the point of vulnerability altogether. It is unclear what Apple’s stance is on this or when they may have a fix available. Hopefully they will move quickly as well or all of my friends who “never get viruses” just may be in trouble.

It is recommended that those who may be susceptible to this vulnerability watch closely for patches or hotfixes and apply them as soon as possible.

With many consumers chomping at the bit to get their hands on a new iPhone 6, internet scammers are quickly taking advantage to distribute their wares. Immediately following the unveiling of the new iPhone 6 and iPhone 6 plus, scammers began circulating email and web scams attempting to capitalize on its popularity.

Here is a look at one of the many related scams that has been in circulation since last week’s announcement.iphonescamHere, the scammers are using iPhone 6 to lure in potential victims.  If the reader follows the instructions, an adware install will commence.  Adware is a form of software that is meant to generate revenue for its author by automatically displaying advertisements. Adware is not typically anything more than an annoyance but can often seriously infringe on users privacy. This particular strain has a wide array of functionality and can make a victim’s web browsing experience fairly miserable. Thes type of attacks, also carry the possibility of malicious activity (i.e., password theft). Though its presence is not secret, it is quite good at imbedding itself into the victim’s system and can be quite difficult for the average user to remove. Since Sept 12th we have seen nearly 1 million messages associated with this campaign and of course this is just one of many. Remember, advertisements promising you something for nothing are almost always too good to be true.

A campaign just started up of fake JP morgan emails. The emails coming in claim to be secure messages from JP Morgan using the Voltage secure messaging platform. The FROM name changes between the messages but stays in a consistant format for the actual email address (First.Last@jpmorgan.com). Interestingly, all of the messages seemed to try to use the same security image of, what I assume, is a valid users image from JP Morgan. However the link the spammers used appears to be dead now and none of the messages show a security image.

initialemailjpmorgan

 

 

 

The HTML file is just an official looking page with a button to read the message (and a personal image here that shows). One thing to note is that looking at the source of the HTML or hovering over links does indeed only show jpmorgan links. The Click to Read Message button did not show the link when hovering and linked directly to an address using an IP instead of a hostname.

 

initial page in attachment

 

This campaign has sort of a 3 part attack going on here. The first attack is when you click the read message button. The next page it loads has a malicious iframe in it. From the samples I have seen, the iframes all had data hosted at cornishhoughs.com. Eset classifys the attack as “JS/Kryptik.ASA trojan”.

second page email address

cornishmaliframe

esetalertjpmorganthird page password jpmorgan

No matter what you type in, as long as it’s in the proper format, the page advances. This could be considered a second part to the entire attack. The pages do make POSTs to the server with the email address and password that are typed in. This data is most lilely being harvested as well for further attacks to be made with that users information. If anyone visited these pages and typed their information in, I’d strongly suggest changing your password as soon as possible.

Once you get this far you are taken to a rather convincing looking secure messaging portal. Complete with working buttons that all lead to JP Morgan pages. The exception being the View and Download buttons.

 

JPMorgan Chase - Sign In 2014-08-21 13-16-03

Clicking either View or Download prompts you to save an exe file with a double extension at the end and is the third part of this attack.

download prompt jpmorgan

 

These can fool most users in to thinking they are harmless once the file is saved. The reason is that most of the time the malware writeers will build in a resource icon of whatever the fake extension is. This method combined with the fact that Windows does not show known file extensions by default, means that the average user would only see “8.21.14 report.pdf” as the filename and a normal PDF icon as well (as seen below). Some users find it annoying to show all file extensions but it can make it significantly easier to spot the double extension files that trick users.

fakepdfshowing

 

At the time of checking all of this, VirusTotal shows no AV company has anything on this file. It appears to be a trojan downloader that retrieves content offsite. Fortunately we were able to quickly block the file in our filter and have over 177,000 hits so far and climbing.

no virustotal hits jpmorgan

This particular campaign was tricky due to it being rather in depth and the effort put in to make it convincing. This type of campaign takes more resources for an attacker to put together, but if successful it can yield more of an impact due to the threat not being as obvious.