(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Malicious spam (malspam) impersonating eFax is old news, yetwe still occasionallysee it. Earlier this week, someone sent the ISCan exampleof eFax-themed malspamwith an attached Word document. ThoseeFax-themedmalspamcontaining Word documents are notnew [1], but the person submitting the example thought it might be Dridex. But I havent seen much Dridex sincekey players behind Citadel and Dridex were arrested in late August 2015[2]. Was this another wave of Dridex?

In this diary, weinvestigate. The result? It wasnt Dridex. It was just another Word document -- enable macros-- Pony downloader -- follow-upmalware. From what I can tell, the malware we found is being used in other themed malspam campaigns, not just eFax-themed. I like to document these, if only to remind people the spammers and botnets are still pushing out this sort of malware.

Our thanks to Wayne who provided the sample. ">Below is a screenshot from themalspam example Wayne sent us. Links in the email all went to the appropriate eFaxURLs. " />
Shown above: ">Looking at the email headers, youll find the recipients email server received the message">Shown above: Email headers fromthe">The Word document has macros. " />
Shown above: Document from the malspam" />
Shown above: Using OfficeMalScanners">Once youve got the macro extracted, you can review it with a text editor. Thisgives you some idea on what the macro does. For example, in the image below, you might be able to determinethat300.rtf, 301.rtf, and pm4.exe are created in the users AppData\Local\Temp folder (the TEMP" />
Shown above: ">Infecting a host using this Word document didnt generate a lot of traffic. There was onlya Fareit/Pony-style check-in followed by the follow-up malware being downloaded. By the time I reviewed the malware on Wednesday 2015-10-07, all hosts for the Fareit/Pony-style check-in traffic didnt resolve in DNS. I had to use a pcap from aHybrid-Analysis.com reportto see the check-in traffic." />
Shown above: Traffic from Hybrid-Analysis.com">Shown above: Intraffic from2015-10-07,none of the samplesFareit/Pony check-in">Below are alerts generated from the Hybrid-Analysis.coms pcap">Shownabove: Alerts from the Hybrid-Analysis pcap">Preliminary malware analysis


  • File size: 484.0 KB ( 495,616 bytes )
  • MD5 hash: 5cb9cff7e12b6c1d8724ab8f8a10555e
  • SHA1 hash: 834d314fe2f1e696a3217c24e6d726f61bd131a4
  • SHA256 hash: 9686caf5e37a676ce63054959dfe7ab3e09863f86fd13fb720dc2921621aa8a5
  • Detection ratio: 24 / 56
  • First submission: 2015-10-06 14:28:27 UTC
  • Virus Total link - " />

    Malware dropped by the document: C:\Users\username\AppData\Local\Temp\pm4.exe

    • File size: 442.0 KB ( 452,608 bytes )
    • MD5 hash: 29893d41d5b4d161ad8cd76628c4ae41
    • SHA1 hash: bc12a7d683a995329ec94e895a2b0008d3487b22
    • SHA256 hash: c5eb33f5a721be5d4a3026110e57b67a1c4d2aaab013dc379df588ac5f88913a
    • Detection ratio: 17 / 56
    • First submission: 2015-10-06 19:37:14 UTC
    • Virus Total Link - Malwr link - " />

      Other files noted in the users AppData\Local\Temp directory:

      • 300.rtf - 1.7 MB ( 1,754,310 bytes )
      • 301.rtf - 1.7 MB ( 1,754,310 bytes )

      Malware downloaded to infected host: m.exe stored as C:\Users\username\AppData\Local\[random name]\[random name].exe


Defense One

Senate To Reconsider Controversial InfoSec Bill After Recess
Defense One
A controversial cybersecurity bill that has been stalled in the Senate since August will return to the floor after next week's recess, the bill's co-sponsors said Tuesday. Subscribe. Receive daily email updates: Subscribe to Defense One Today. Be the ...

and more »

Enlarge / In-the-wild samples of Kemoge impersonating well-known apps. (credit: FireEye)

Researchers have uncovered yet another Android-based adware campaign targeting people who download what they believe are trusted titles from websites and other third-party app stores.

The apps use repackaged icons to disguise themselves as popular titles and are offered for download through pop-up ads on visited websites and in-app promotions, according to a blog post published Wednesday by researchers from security firm FireEye. Once installed, the apps exploit as many as eight separate Android vulnerabilities that allow the apps to gain deep root access privileges. From there, the apps launch code libraries mimicking legitimate Android services, such as com.facebook.qdservice.rp.provider and com.android.provider.setting, to gain a permanent foothold on infected phones.

FireEye researchers wrote:

Read 2 remaining paragraphs | Comments


Online extortion, may it be ransomware like cryptolocker, or extorting people with damaging data like Ashley Madision, is certainly one way criminals try to use to make a living. Many of these attempts go unreported, and I expect that they are also often ignored by the individuals receiving these emails. As an example, one of our readers sent us an Ashley Madison extortion attempt.

Theindividual forwarding us the extortion emails received multiple e-mails. All appear to originate from the same group. The From: addresses for all of the emails use the .xyz top level domain and similar subject lines as well as bodies.

Interestingly, the amount being extorted varies from e-mail to e-mail between 1 BTC and 5 BTC. The e-mails note two different Bitcoin addresses. For Bitcoin transactions, it is pretty easy to figure out how many Bitcoins were transferred to any particular address. All transactions are registered in the blockchain, and sites like blockchain.info allow you to search the blockchain for a particular transaction. In this case, it certainly looks like the miscreant was paid. One of the addresses received two transactions of 1 BTC each, and the other one a total of 9 BTCs in several transactions ranging from 1 to 3 BTC.

So the short lesson: crime pays. If we assume that all these transactions are due to these extortion emails (and the amounts match what was asked for), then these emails made at least 11 BTC or $2,700 . It is likely that this individual or group uses multiple bitcoin addresses. Sadly, the victim in this case paid for nothing. Since the data is already public, many others could follow with similar extortion requests.

In this particular case, the attacker makes the threat more real but claiming that they found the victims Facebook page and they threaten to share the information with the victims Facebook friends and possibly employer. They then advice the victim to change the Facebook privacy settings to prevent others from doing the same.

Here is the full text of the e-mail (I removed the bitcoin address as it may link to the person forwarding us the e-mail):

From: Laura [email protected]
Subject: You got.... busted

Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members.

If you would like to prevent me from sharing this dirt info with all of your friends and family members (and perhaps even your employers too?) then you need to send 1 bitcoin to the following BTC address.

Bitcoin Address:

You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you dont pay) to stop any future emails like this.

You can buy bitcoin using online exchanges easily. If the bitcoin is not paid within 3 days then my system will automatically message all of your friends and family members. The bitcoin address is unique to you.

Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Advanced Information Security Corporation, Security Advisory (Oracle's MYSQL v5.6.24 Latest - Buffer Overflows) Repost
[REVIVE-SA-2015-001] Revive Adserver - Multiple vulnerabilities

Softpedia News

IP Camera Firm Pressures InfoSec Researcher to Cancel Security Conference ...
Softpedia News
Gianni Gnesa was scheduled to make a presentation at the Hack In The Box security conference on October 14 in Singapore. Not anymore. According to a tweet he sent out three days ago, and a notice on the conference website, Mr. Gnesa was forced to ...


(credit: Robert Scoble)

Verizon is giving a new mission to its controversial hidden identifier that tracks users of mobile devices. Verizon said in a little-noticed announcement that it will soon begin sharing the profiles with AOL's ad network, which in turn monitors users across a large swath of the Internet.

That means AOL's ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including "your gender, age range and interests." AOL's network is on 40 percent of websites, including on ProPublica.

AOL will also be able to use data from Verizon's identifier to track the apps that mobile users open, what sites they visit, and for how long. Verizon purchased AOL earlier this year.

Read 10 remaining paragraphs | Comments

Advanced Information Security Corporation, Security Advisory (MYSQL v5.6.24 Buffer Overflows)
Re: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid USB device descriptors (usbvision driver)
Zope Management Interface CSRF vulnerabilities
Local RedHat Enterprise Linux DoS â?? RHEL 7.3 Kernel crashes on invalid USB device descriptors (usbvision driver)
TestLink Security Advisory - Multiple XSS Vulnerabilities - CVE-2015-7391
TestLink Security Advisory - SQL Injection Vulnerability - CVE-2015-7390
[CVE-2015-7670] Multiple SQL Injection in Support Ticket System 1.2 WordPress plugin
Internet Storm Center Infocon Status