Here's a recent email conversation I thought I'd share:
Sent: Tuesday, August 4, 2015 18:48 UTC
Hi Brad - I'm a huge fan of the research you do and follow you on twitter.
Interested in a sample that we received today? Looks like a .zip file but I believe it is actually a .vbs or other format....
Have you seen anything like it? We block .zips but this sailed right through. Here's a screenshot:
NOTE: The gif shows a screenshot of an email (can't share the details) with a .zip attachment,
Sent: Wednesday, August 5, 2015 02:13 UTC
Subject: RE: Sample
Thanks for the email! Yeah, I've seen a few zipped (or otherwise archived) Visual Basic files sent through malspam. Here are some tweets about it I can remember off the top of my head:
2015-07-22 - twitter.com/malware_traffic/status/…
2015-07-27 - twitter.com/malware_traffic/status/…
2015-08-05 - twitter.com/malware_traffic/status/…
It's probably just another trick to evade the malware filters through the email.
Concerning your sample, I haven't noticed that particular theme before, but it fits the profile for this type of malspam. The archived attachments are quite small--anywhere from 4 to 8 KB.
The .vbe-based malware are file downloaders. I've seen both .vbe and .js files sent this way, usually archived in ZIP format, but today I saw a .vbe downloader archived using RAR.
Hope this helps. Thanks again for the info. It's always interesting to see what others are finding.
Rackspace Information Security Operations Center (ISOC)
San Antonio, Texas, United States
Company website: rackspace.com
Personal blog: malware-traffic-analysis.net/
Aug 5th 2015
3 years ago