Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Voice Message Notifications Deliver Ransomware

Published: 2016-08-23
Last Updated: 2016-08-23 12:21:59 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications.

Here is an example displayed in Microsoft Outlook:

Today, I received a wave of emails like the following:

From: voicemail@rootshell.be
To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25

Dear [redacted]:

There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
You might want to check it when you get a chance.Thanks!

The sender is spoofed with the victim domain name. The following file was attached to the message: 

$ unzip Message_from_01422520472.wav.zip
Archive:  Message_from_01422520472.wav.zip
    testing: 197577509502.wsf         OK
No errors detected in compressed data of Message_from_01422520472.wav.zip.
$ md5sum 197577509502.wsf
f2ee33a688a45b161d3191693196cb1d  197577509502.wsf

Note the '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]

Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers.

Here are the C2 servers (for your IDS):

89.42.39.81
213.205.40.169
51.254.55.171
194.67.210.183
185.51.247.211
185.129.148.19
91.201.202.125

[1] https://www.virustotal.com/en/file/97be73cf491cf8e4d30e0e6d9b73e95151f77b3e52813e06b2ef391fa6f26b2a/analysis/1471949327/
[2] http://www.draytek.co.uk/products/legacy/vigor-2820

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

5 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Red Team Tools Updates: hashcat and SpiderFoot
1 day ago by Russ McRee (0 comments)

Cisco ASA SNMP Remote Code Execution Vulnerability
2 days ago by Rick (0 comments)

What are YOU doing to give back to the security community?
3 days ago by Russell (4 comments)

Data Classification For the Masses
5 days ago by Xme (14 comments)

1 compromised site - 2 campaigns
6 days ago by Brad (0 comments)

522 Error Code for the Win
1 week ago by Tom (1 comment)

View All Diaries →

Latest Discussions

AliExpress being used as C&C for DoS?
created 4 days ago by Anonymous (0 replies)

Remote Monitoring Tools
created 2 weeks ago by Percy08 (1 reply)

DMZ Server Updates
created 2 weeks ago by jimmy.gonzalezedcgov.us (1 reply)

Email unsubscribe by reply vs clicking on link standard ?
created 2 weeks ago by Anonymous (1 reply)

Adsense Ads Look Different
created 2 weeks ago by boni (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
2 weeks ago by Rob VandenBrink (2 comments)

Data Classification For the Masses
5 days ago by Xme (14 comments)

Profiling SSL Clients with tshark
1 week ago by Dr. J. (2 comments)