Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Archived .vbe attachments in malspam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Archived .vbe attachments in malspam
Here's a recent email conversation I thought I'd share:

From: [redacted]
Sent: Tuesday, August 4, 2015 18:48 UTC
To: brad@malware-traffic-analysis.net
Subject: Sample


Hi Brad - I'm a huge fan of the research you do and follow you on twitter.

Interested in a sample that we received today? Looks like a .zip file but I believe it is actually a .vbs or other format....

Have you seen anything like it? We block .zips but this sailed right through. Here's a screenshot:

(pic08723.gif)


Thanks,
[redacted]

NOTE: The gif shows a screenshot of an email (can't share the details) with a .zip attachment,

From: brad@malware-traffic-analysis.net
Sent: Wednesday, August 5, 2015 02:13 UTC
To: [redacted]
Subject: RE: Sample

[redacted],

Thanks for the email! Yeah, I've seen a few zipped (or otherwise archived) Visual Basic files sent through malspam. Here are some tweets about it I can remember off the top of my head:

2015-07-22 - twitter.com/malware_traffic/status/…
2015-07-27 - twitter.com/malware_traffic/status/…
2015-08-05 - twitter.com/malware_traffic/status/…

It's probably just another trick to evade the malware filters through the email.

Concerning your sample, I haven't noticed that particular theme before, but it fits the profile for this type of malspam. The archived attachments are quite small--anywhere from 4 to 8 KB.

The .vbe-based malware are file downloaders. I've seen both .vbe and .js files sent this way, usually archived in ZIP format, but today I saw a .vbe downloader archived using RAR.

Hope this helps. Thanks again for the info. It's always interesting to see what others are finding.

Regards,

Brad Duncan
Security Researcher
Rackspace Information Security Operations Center (ISOC)
San Antonio, Texas, United States
Company website: rackspace.com
Personal blog: malware-traffic-analysis.net/
Brad

335 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!