Massive malware spam campain to corporate domains in Colombia

Massive malware spam campain to corporate domains in Colombia
There was a massive malware spam campain directed to corporate domains in Colombia. The following was the e-mail received: Now this e-mail has two interesting aspects: It is tracking if the user reads the message using the google analytics API by invoking the following: img src=3Dhttp://www.google-analytics.com/c= ollect?v=3D1&tid=3DUA-62115737-1&cid=3Dxx@xx.com&t=3De= vent&ec=3Dxx@xx.com&ea=3Dopens&el=3Dxx@xx.com&cs=3Dnewsletter&cm=3Demail&cn=3D062413&cm1=3D1?/ It has a link to a dropbox file being masqueraded with the google url redirection script: https://www.google.com/url?q=3Dhttps%3A%2F%= 2Fwww.dropbox.com%2Fs%2Fvs5hho625v7ibw5%2FACH=5Ftransaction5721.doc%3Fdl%3D= 1&sa=3DD&sntz=3D1&usg=3DAFQjCNFADf1fsGqdWqwSOnMC6XyLMHrL2w When opened, this document has embedded a visual basic script that downloads a known trojan password stealer designed for colombian banks. This domain uses a private registation service, avoiding to know the identity of the registrar: Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs. Manuel Humberto Santander Peláez SANS Internet Storm Center - Handler Twitter: @manuelsantander Web:http://manuel.santander.name e-mail: msantand at isc dot sans dot org	Manuel Humberto Santander Pelaacuteez 193 Posts ISC Handler
Subscribe	May 1st 2015 5 years ago
Whois History from Domain Tools reveals the registrant: Registrant Name: Jonathan Moctezuma Olvera Registrant Organization: X-Solutions Registrant Street: Real de los Encinos23A real de atizapan Registrant Street: Atizapan de Zaragoza Registrant City: Estado de Mexico Registrant State/Province: Mexico Registrant Postal Code: 52945 Registrant Country: Mexico Registrant Phone: +420.25179 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: jmoctezuma@xsolutions.com.mx	Anonymous
Quote	May 1st 2015 5 years ago
Manuel, Is there a way to open these emails while avoiding the tracking from triggering?	SasK 12 Posts
Quote	May 1st 2015 5 years ago
Quote:Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs. Excellent advice and will add another layer. Numerous families I know have been hit when clicking on Google Images by their kids doing school work. Though I have reported @ least 25, I can only say Google is fast becoming quicksand at all levels. Another way I try to cut down is plug-ins to block GA and other beacons. Yes, it is a bit more work, however once compromised you wish you would have taken that extra time. Nothing is fool proof, just add a heavy cup of common sense. Compute safe all.	ICI2I 63 Posts
Quote	May 1st 2015 5 years ago
thunderbird under linux will not open graphic file unless you tell it to. it will also allow you to preview the raw text of the email, including full headers. it will not send acknowledgement unless you tell it to. there are other mail clients that have similar features, but i am most familiar with thunderbird.	Moriah 133 Posts
Quote	May 1st 2015 5 years ago
Aren't you lucky. We've been getting these for about a month. The most recent versions contain a URL that's a google search link for a dropbox link which is hosting the actual malware... I've been searching our mail logs for subjects that contain " ACH " and the words cancelled, aborted, denied, rejected. That finds most of them although there are a few other permutations too.	Brent 123 Posts
Quote	May 4th 2015 5 years ago
Warning: shameless plug follows: These were reported to me by a user before any automated tools began detecting/reporting/blocking these. We recently started using phishme.com to help educate the userbase and get them reporting phish more often than falling for them. We still have some users who fall for every phish they see but now I'm getting earlier reports of phish which means I can sometimes do a little malware/phish analysis and proactively block the phish and/or block URLs/hostnames before every user sees the phish and clicks on a link or opens an infected office or pdf file or runs the attached .exe/.scr/.com file, etc.	Brent 123 Posts
Quote	May 4th 2015 5 years ago

There was a massive malware spam campain directed to corporate domains in Colombia. The following was the e-mail received:

ACH spam e-mail

Now this e-mail has two interesting aspects:

It is tracking if the user reads the message using the google analytics API by invoking the following:

img src=3Dhttp://www.google-analytics.com/c=
ollect?v=3D1&tid=3DUA-62115737-1&cid=3Dxx@xx.com&t=3De=
vent&ec=3Dxx@xx.com&ea=3Dopens&el=3Dxx@xx.com&cs=3Dnewsletter&cm=3Demail&cn=3D062413&cm1=3D1?/

It has a link to a dropbox file being masqueraded with the google url redirection script:

https://www.google.com/url?q=3Dhttps%3A%2F%=
2Fwww.dropbox.com%2Fs%2Fvs5hho625v7ibw5%2FACH=5Ftransaction5721.doc%3Fdl%3D=
1&sa=3DD&sntz=3D1&usg=3DAFQjCNFADf1fsGqdWqwSOnMC6XyLMHrL2w

When opened, this document has embedded a visual basic script that downloads a known trojan password stealer designed for colombian banks.

This domain uses a private registation service, avoiding to know the identity of the registrar:

frterminales private registration

Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

193 Posts
ISC Handler

Whois History from Domain Tools reveals the registrant:

Registrant Name: Jonathan Moctezuma Olvera
Registrant Organization: X-Solutions
Registrant Street: Real de los Encinos23A real de atizapan
Registrant Street: Atizapan de Zaragoza
Registrant City: Estado de Mexico
Registrant State/Province: Mexico
Registrant Postal Code: 52945
Registrant Country: Mexico
Registrant Phone: +420.25179
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jmoctezuma@xsolutions.com.mx

Anonymous

Manuel,

Is there a way to open these emails while avoiding the tracking from triggering?

SasK

12 Posts

Quote:Be careful when opening unknown e-mails. You could be leaking information and compromising your computer, even when you see google domain in the URLs.

Excellent advice and will add another layer. Numerous families I know have been hit when clicking on Google Images by their kids doing school work. Though I have reported @ least 25, I can only say Google is fast becoming quicksand at all levels. Another way I try to cut down is plug-ins to block GA and other beacons. Yes, it is a bit more work, however once compromised you wish you would have taken that extra time.

Nothing is fool proof, just add a heavy cup of common sense. Compute safe all.

ICI2I

63 Posts

thunderbird under linux will not open graphic file unless you tell it to. it will also allow you to preview the raw text of the email, including full headers. it will not send acknowledgement unless you tell it to. there are other mail clients that have similar features, but i am most familiar with thunderbird.

Moriah

133 Posts

Aren't you lucky. :-)

We've been getting these for about a month. The most recent versions contain a URL that's a google search link for a dropbox link which is hosting the actual malware...

I've been searching our mail logs for subjects that contain " ACH " and the words cancelled, aborted, denied, rejected. That finds most of them although there are a few other permutations too.

Brent

123 Posts

Warning: shameless plug follows: These were reported to me by a user before any automated tools began detecting/reporting/blocking these. We recently started using phishme.com to help educate the userbase and get them reporting phish more often than falling for them. We still have some users who fall for every phish they see but now I'm getting earlier reports of phish which means I can sometimes do a little malware/phish analysis and proactively block the phish and/or block URLs/hostnames before every user sees the phish and clicks on a link or opens an infected office or pdf file or runs the attached .exe/.scr/.com file, etc.

Brent

123 Posts