Re: malware campaign: javascript in ".tgz"

Thu, 21 Apr 2016 07:01:55 -0700 

Hi Chip,

On Thu, Apr 21, 2016 at 9:33 AM, Chip M. <sa_c...@iowahoneypot.com> wrote:
> Starting about two hours ago, about 40% of my real-time
> honeypot spam is a new malware campaign.  About a third are
> hitting "BAYES_00", with about 10% of all having negative SA
> scores. :(
>
> Full spample (with munged email addresses):
>         http://puffin.net/software/spam/samples/0040_mal_tgz.txt
> That's not a valuable honeypot address, so I've left everything
> else as-is, including the Message-ID.
>
> So far, all of these have the _EXACT_ same Message-ID, From,
> and Reply-To.  I expect all to change, but they may be useful
> for quick block rules.  The From account is "FSPRD" and the
> From base domain is "covance".
>
> The filenames are all the same length, pure numeric with three
> leading zeroes.  Here's a few examples:
>         0006449538.tgz
>         0007184777.tgz
>         0008205464.tgz
>         0007565676.tgz
>         0008113861.tgz
>         0001457696.tgz
>         0007535057.tgz
>         0008403752.tgz
>         0009470013.tgz
>
>
> I'm blocking these by file extension (both ".tgz" and ".gz" to
> be extra cautious).
> A couple of years ago, I added a "mime prefix" rule to my post-SA
> filter, and have added rules using that, in case the spammers try
> the old trick of asking victims to rename the file.
>
> I tried opening a benign ".gz" in Windows7, and it didn't
> recognize it, but other versions may.  These may be targeting
> other platforms (e.g. I recently learned that Chrome OS has native
> support for "rar" extraction, which may explain the recent rise of
> rar javascript email malware).
>
> I've only taken a quick look at the payload.  It's javascript, but
> definitely different from past campaigns.
>
> I've been seeing a high level of "calibration" spam for over a
> week, so I suspect this is a new botnet going live. :(
>         - "Chip"

Thanks so much for posting this. Looks like we've received a handful
of these as well. Thankfully, all of which were blocked:

X-Amavis-Alert: INFECTED, message contains virus:
        Sanesecurity.Malware.26070.JsHeur.UNOFFICIAL

You may also want to block on subject:

Subject: Dispatched Purchase Order

Regards,
Alex


>

Reply via email to