Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Fake LogMeIn Certificate Update with Bad AV Detection Rate SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake LogMeIn Certificate Update with Bad AV Detection Rate

I just receive a pretty "plausible looking" e-mail claiming to originate from Logmein.com. The e-mail passed the first "gut check".

  • The "From" address is auto-mailer@logmein.com.
  • It was sent to an address I have used for Logmein in the past
  • The only link inside the e-mail went to a legit Logmein URL.

Of course, the .zip attachment did set off some alarm bells, in particular as it unzipped to a .scr (Screen Saver).

According to VirusTotal, AV detection is almost non-existant at this point:

LogmeIn does publish a SPF record, and the e-mail did not originate from a valid LogmeIn mail sender, so it should be easy to descriminate against these emails using a standard spam filter.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3699 Posts
ISC Handler
Could you provide a link to the Virus Total report on the file?
BigTotoro

4 Posts
Logmein ain't free anymore, I wonder how many people will actually fall for this. I switched to teamviewer the second logmein went non-free.
Anonymous
Even though it's a hard-fail, it's a mess. 474 characters all jammed into one TXT record and including all of salesforce.com's email servers.

v=spf1 mx:3amlabs.com ip4:82.150.61.82 ip4:63.251.133.64/27 ip4:77.242.192.1 ip4:69.25.20.1 ip4:74.201.74.1 ip4:173.48.77.106 ip4:195.56.119.18 ip4:67.20.183.208/28 ip4:216.52.233.0/24 ip4:64.94.18.0/24 ip4:64.94.46.1 ip4:74.112.65.204 ip4:74.112.65.210 ip4:72.22.169.96/27 ip4:207.106.191.64/26 ip4:67.208.179.240/28 ip4:63.251.46.1 ip4:195.70.42.217 ip4:91.82.95.146 ip4:162.211.109.78 ip4:111.221.57.0/24 ip4:117.20.45.0/24 ip4:63.254.155.0/24
include:salesforce.com -all
Anonymous
These detected with:

Sanesecurity.Malware.24300.ZipHeur.UNOFFICIAL FOUND
Sanesecurity.Rogue.0hr.20140922-1644.UNOFFICIAL FOUND
ClamAV 3rd Party signatures: sanesecurity.com
Sanesecurity

21 Posts
Was stopped @ the gate by my SW TZ105 with total secure package. There is not much data on it locally but shows globally a major spike. I will have to update my thread in regards to FW suggestions.

Let me know if I can supply any other data...
ICI2Eye

52 Posts

Sign Up for Free or Log In to start participating in the conversation!