After every large news-making event, we see malicious campaigns pop up quickly to ride the coattails.  It is very easy for the scammers to modify their malevolent templates to match the latest headlines and  prey on the emotions of users.  The scams range from simple social engineering to malicious programs that promise to identify and remove infections from a machine.  Below are examples of a couple different phishing we’ve discovered attempting to take advantage of the WanaCry publicity.

This one attempts to look like a “Indian Computer Emergency Response Team (CERT).”  Typically CERTs are a group of legitimate experts tasked to respond to computer security incidents.  The scammers wanted to add a feeling of legitimacy and pass off their malicious site as a government webcast.  Note the suspicious link and large inserted mail image that are red flags.

This next example masquerades as the familiar security software company Symantec.

Following the hyperlink redirects readers to the fake Symantec login page pictured below.  This site automatically inserted this recipient’s email address attempting to appear more legitimate.  In addition to increased filter evasion, redirection to a different site usually allows the site to last longer before it’s removed.  This example was from earlier this week, but it was still active as I created this blog.

A nefarious website operator may change the site at any time from a simple phishing attempt to something much more malicious.  It is important to not let the curiosity get the best of you.  Here at AppRiver, we use isolated test systems to perform these actions in order to gather intelligence.  Our in-house team monitors incoming campaigns such as these 24/7/365.  Remember that with AppRiver SecureTide filtering, you are protected against these threats as they emerge.

Necurs Awakens
Late last week while the WannaCry ransomware was causing major panic across the internet, another threat was re-emerging as well. After a relatively quiet several months and in the early hours of the morning on May 11th, the Necurs botnet started blasting out malicious emails again in massive volumes. Throughout most of 2016 we were seeing this botnet distributing the Locky ransomware and the Dridex Banking Trojan, until a large fall-off in volume around December 24th. While traffic had never ceased, daily traffic was only about one tenth of the volume we had been seeing prior to. On the morning of May 11th that all changed, the monster had awakened and had picked up right where it left off, sending email en-masse containing both a new ransomware strain dubbed “Jaff” as well as copies of the Dridex banking Trojan. After slowing over the weekend, as botnet campaigns always do, this morning the malicious email campaigns were back at it.

Jaff Ransomware
Both malware campaigns are using PDF files with an embedded Word Document which contains a malicious VBA Macro.
Current Jaff ransomware messages:


Opening the Word Document inside the PDF and enabling editing, allows the macro script to run on the host machine. The malware then reaches out to any one of multiple call home domains to fetch the ransomware binary. After a successful connection to the call home domain, in this case enboite[dot]be, the binary is downloaded and the malware goes to work encrypting files on the host machine. You can see here where the ransomware got its name as it appends the extension [dot]jaff to the victim’s files as they are encrypted.
The processes and techniques that Jaff uses during the infection process have many similarities to the Locky ransomware, which leads us to believe this is simply the new strain from the same individual or group responsible for Locky. The Jaff ransomware is currently demanding roughly $1800 payment via Bitcoin.

Dridex Banking Trojan
The Dridex Banking Trojan is being sent be the same botnet and uses a nearly identical infection vector but with slightly varied message content. The Dridex Trojan has been in circulation for years now but is still successfully being used to commit financial theft.

Current Dridex Banking Trojan messages:

What now

The Jaff ransomware while it does differ, may just be the new iteration of Locky ransomware. While Dridex Banking Trojan as well has morphed over time. It was once known as Zeus. After being redeveloped and built upon, it became known as Cridex and after again later changes returned as Dridex. This goes to show That the cybercrime groups undertaking these malware families also go through periods of redevelopment just as any software creator would. For now, though, they are back to their old tricks but with a new toy.

And of course, all SecureTide customers are protected from the threats described above.

Headlines worldwide are now screaming the news of yet another widespread ransomware attack, this time targeting hospitals, health care systems, and other organizations in Europe, Asia and beyond. According to the reports, cybercriminals have once again crippled vital computer networks around the world. Much news attention will (and should) focus on who did it and what damage it causes, but we absolutely can’t lose sight of the fact that it can be avoided or at least mitigated if people will take a few simple steps. We’ve said all this before, but it bears repeating:

  1. Run regular software and hardware updates. Software and hardware updates often contain security patches to holes that malware, like ransomware, wiggles its way through. The best type regular software updates are automatic ones, but if that’s not feasible, at least set up notifications to let you know when the latest update is available. Then set a max number of “snoozes” you can set.
  2. Have layered, redundant security in place. Ransomware is often delivered via an email attachment or malvertisement on the Web. By having email and Web protection, you can prevent ransomware from ever entering your network.
  3. Back up your files. A secure backup allows you to rid your network of malware and then restore your files. A pain? Yes. But it means you don’t have to pay a criminal and hope he keeps his word to un-encrypt your data.

Also, keep in mind that the only reason why these thieves launch these attacks is because people pay them. If everyone refuses to pay, they no longer have a business. As a side benefit, you’re cutting off money to the other illegal enterprises (think terrorism, drugs, human trafficking) this money supports.

Say it with me now: Back up your files, update your software and hardware, and get a layered, redundant security system in place.

Attackers are currently sending personalized emails attempting to extort money from website owners across the net. The sender promises to commit a distributed denial of service(DDOS) attack, to the tune of 1Tbps, against the recipients website unless they make a one-time payment of .1 Bitcoins. The recipient is given six hours to comply. Given the current value of Bitcoin this translates to about $179USD. Each message appears to be using a unique Bitcoin address. The attackers also appear to be using Whois data to pinpoint their exact targets. Each message we analyzed was sent to the registrant email listed in the public Whois record for the target domain. This type of targeted and customized threat has become the new normal.

Here is a look at the message below:

It seems these attackers have taken some pointers from the success that others have had with Cryptographic Ransomware. There are indeed some similarities. They are using Bitcoin to accept the payments which is encrypted and nearly impossible to trace. They also create the sense of urgency with providing only six hours to comply. Both are tactics employed in most Ransomware attacks. However, instead of delivering a malicious payload to whomever they can get to click, this attack uses a targeted approach through the utilization of publicly available information. No software is required to be installed on the target machine, they are simply banking on the fact that a certain percentage of the recipients will take this threat seriously enough to pay the relatively modest ransom. And with the amount of media attention lately on DDOS attacks that have in been occurring, in particular those committed by the Mirai botnet, the timing of this attack is pretty good. Of course we strongly recommend not paying the ransom in situations like this as it only serves to facilitate more attacks of this cast.

Many have heard the term bitcoin in the past and recognize that as a digital currency.  Bitcoin is not the only player out there, just the most recognized.  The others are unofficially termed Altcoins for alternative coins.  Digital or cryptocurrencies are created by a process called mining.  This is the process of performing complex mathematical computations related to the encryption of the specific cryptocurrency.  That is necessary as the computations are used to verify the validity of transactions along with creating more currency.  Mining may be performed by a single computer or many computers working together as a farm.  There are even mining pools where operators share the profit by joining forces.  These alternative digital currencies operate with different algorithms, privacy aspects, and payment methods.  Shady software providers frequently attempt to bundle mining software into downloads when they distribute their wares.  That supposedly “free software” you download may not actually be free after all.  Someone has to pay the electricity, HVAC, and hardware costs associated with running the machine.  This does not include precious time spent waiting for it to perform intended processes by the user while mining software utilizes system resources in the background unbeknownst to them.

Typically, the nefarious groups invest their time and malevolent actions into the best risk-reward return at that time.  Ransomware encrypting and holding your data hostage is the most disruptive threat vector for both individual users and businesses right now.  However, the malicious actors are enterprising and will attempt to make money by any method possible.  If they cannot take your money quickly via ransomware, then enslaving computers to crunch math problems behind your back will suffice.  These groups have been utilizing their installed Trojans/back-doors from malicious emails or web downloads to install miners.  Some altcoin providers are preferable as they offer these actors additional privacy and less transparency than the standard bitcoin.  We have noticed an uptick in user machines protected by SecureSurf attempting to reach out to digital currency pools where the purveyors of the software are cashing in on the infected machines mining operations.  An admin received the below SecureSurf generated Critical Threat Notification and reached out to us.  They thought this alert might have been a false positive, however, machines on the network were running mining software in the background.  They were repeatedly attempting to reach out to a third-party altcoin “call home” pool.  If successful, they cash in your algorithm crunching results for currency.  What you do not know occurring on your network can cost time, money, and overall decreased productivity.  Ask our sales team about a free trial of SecureSurf today.