Malware Payloads

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

2 responses to “Malware Payloads

  1. As an I.T. contractor every week I see a collection of emails like this. A wave of new Trojans/viruses are being delivered via emails which look identical to those which you’d think were sent out by famous companies: FedEx, UPS, Docusign, DHL, LogMeIn, mortgage companies, plus the many well-known banks which have online banking.

    They try to use name-brand recognition to create a false sense of security for the attachments they include. Trust me, this tactic works really well since the texts in the message seems appropriate enough for the expected company that’s sending the email. What’s that, I have a package? I’d better double-click the tracking document. What’s that, my boss has sent me a signed document that I’m supposed to read? I’d better double-click that. Every week I get to face-palm from the people who do this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s