Information Security News
On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as:
An example of the message text:
Check the payment report created for [recipients email address] as you just ordered.
You may need Doc Passcode: [string of alphanumeric characters]
[fake senders name]
The attached Word documents were approximately 70 kB in size and password-protected. The document file names started with the string of alphanumeric characters from the subject line followed by the recipients email address. File names all ended with the .docx file extension.
This diary documents my investigation into this wave of malspam. Were always thankful for people who submit samples of emails and malware like this to the ISC.
The email appeared somewhat common for most malspam we see. People sometimes think if malsapm has the recipients name in the email, it must be targeted. However, thats often not the case. This type of malspam is easily automated, and it can seem convincing when the recipient border-width:2px" />
Shown above: An example of the malspam.
The document would only open after using the password from malspam it was attached to. This tactic typically allows the document to bypass detection in anti-virus tools. border-width:2px" />
Shown above: Request for the attached documents password.
The document had three embedded objects that were supposedly Word documents. Dragging and dropping the objects onto the desktop revealed these were the same Visual Basic Script (VBS) file. border-width:2px" />
Shown above: border-width:2px" />
Shown above: Text from the embedded VBS file.
Executing the VBS file on a Windows host in my lab generated HTTP traffic. This is typically an attempt to download additional malware like a Windows executable or DLL file. border-width:2px" />
Shown above: Traffic generated by the .vbs file.
I searched reverse.it (also available as Payload Security on hybrid-analysis.com) and found 21 items submitted on Monday 2017-03-20 associated with the domain. Most were other documents from the same type of malspam. Two were attempts to analyze an extracted .vbs file. One was a query to the callback URL. None of these examples made it any farther than I did.
NOTE: Getting these search results on reverse.it requires a login. border-width:2px" />
Shown above: Search results on reverse.it (hybrid-analysis.com) for the callback domain.
Indicators of compromise (IoC)
The following indicators are associated with todays malspam example:
Password-protected Word document:
Word document with password-protection removed:
VBS file embedded in the Word document:
Traffic generated by the VBS file:
Last week, someone at cysinfo.com blogged about similar malspam designed to infect Windows hosts with an Ursnif banking Trojan. This type of password-protection technique in malspam attachments is nothing new. Ive certainly seen it before, and some creative Google searching will reveal this started years ago. However, I havent seen much about this in public forums lately.
Most security professionals assume we all know about it, so it doesnt usually make any headlines. I advise people this is still a thing.
Of course, properly-administered Windows hosts are far less vulnerable to this type of infection. The hosts I use in my lab environment are a different story. If anyone knows of someone who was actually infected from one of these password-protected documents, please share your tale in the comments.
brad [at] malware-traffic-analysis.net
The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (update: the link is no longer public). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
Update: Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can't confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this update was made.
Cisco Systems said that more than 300 models of switches it sells contain a critical vulnerability that allows the CIA to use a simple command to remotely execute malicious code that takes full control of the devices. There currently is no fix.
Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.
"An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections," the advisory stated. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."
An observation from the road, was with a client recently and the discussion of proxy entered into the conversation. Now before we get all Political and start dropping packet bombs, a technical challenge came up that made me really think.
Google recently released some numbers on encrypted traffic and we are WELL past the 50% mark   . With the ease of getting signed certificates through organizations like Letsencrypt and the high level of privacy concerns in the world, it only makes sense .
The observation, proxy was politically driven, senior management did not have the right business understanding of what a proxy does. Further, the word proxy had become and abstract term for the concept of filtering, blocking, and proxy. This made it hard when vendor uses industry language and organization says yes, we understand that is whats REALLY going on but please say proxy for that with management.
Now to the discovery portion of our diary, how long has it been since you have looked at what is actually flowing out of your environment? Yes yes.. we know that everything runs over ports 80 or 443, but after taking a look at my own environment? A little bit more of non 80/443tcp traffic was leaving that expected (and that was even with the cynical pre-disposition).
With a greater than 50% of traffic being encrypted it is clear that the topic of decryption needs to be revisited. Along with that, what is actually being picked up outbound and what is not hitting the known exit points (e.g. is it really going over 443?).
--- ISC Handler on Duty(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.