Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Voice Message Notifications Deliver Ransomware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Voice Message Notifications Deliver Ransomware

Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications.

Here is an example displayed in Microsoft Outlook:

Today, I received a wave of emails like the following:

From: voicemail@rootshell.be
To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25

Dear [redacted]:

There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
You might want to check it when you get a chance.Thanks!

The sender is spoofed with the victim domain name. The following file was attached to the message: 

$ unzip Message_from_01422520472.wav.zip
Archive:  Message_from_01422520472.wav.zip
    testing: 197577509502.wsf         OK
No errors detected in compressed data of Message_from_01422520472.wav.zip.
$ md5sum 197577509502.wsf
f2ee33a688a45b161d3191693196cb1d  197577509502.wsf

Note the '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]

Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers.

Here are the C2 servers (for your IDS):

89.42.39.81
213.205.40.169
51.254.55.171
194.67.210.183
185.51.247.211
185.129.148.19
91.201.202.125

[1] https://www.virustotal.com/en/file/97be73cf491cf8e4d30e0e6d9b73e95151f77b3e52813e06b2ef391fa6f26b2a/analysis/1471949327/
[2] http://www.draytek.co.uk/products/legacy/vigor-2820

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

314 Posts
ISC Handler
We've been seeing greylist entries with from addresses of voicemail@ several of the domains we serve, all of them originating outside our network of course.

The current count is approx 150, but we'll keep monitoring of course.

I've already submitted the list of IP addresses separately.

Please let me know if you would want me to set up a periodic refresh or if you would like further data such as spamd log extracts.

- Peter

PS (update 2016-08-24) final count is 207 unique IP addresses attempting to deliver, none got past our greylisting. A writeup with data and some massaging may follow soonish, time allowing (check back at bsdly.blogspot.com)
peteratbsdly.net

4 Posts Posts
Thanks for posting events like this!

We saw the same exact campaign this morning at our company
Anonymous

Posts
Sanesecurity phish.ndb blocked 2,213 of them so far today as Sanesecurity.Malware.26295.JsHeur

foxhole_js.cdb and foxhole_filename.cdb also blocking them.

sanesecurity.com/usage/linux-scripts/
Sanesecurity

21 Posts Posts
I have been noticing an abnormal amount of war dialing activity as well on my 25+ year old same number land line
jACKtheRipper

36 Posts Posts
what kind of IDS rules or policies should i be adding these IPs to? Total noob alert...!
Anonymous

Posts
I finally got the promised writeup done, with slightly better researched numbers and some data on where the traffic came from.

It's up at http://bsdly.blogspot.com/2016/08/the-voicemail-scammers-never-got-past.html
peteratbsdly.net

4 Posts Posts
Out of necessity to cover our own needs and protect our clients we created an application called RansomSaver, it is an Outlook add-in and basically what it does is moves new incoming infected email to a folder under the deleted items called RansomSaver. We provide this software for free and with no strings attached.

To download or see further information regarding RansomSaver please visit http://synergy-usa-llc.com/ransomsaver-overview.html
SYNERGYUSALLC

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!