![]() ![]() Using OfficeMalScanner, we can extract the malicious macro from the Word document. Shown above: Document from the malspam opened in Microsoft Word. If macros are enabled, the document will try to drop malware and infect the Windows host. Shown above: Email headers from the malspam. Looking at the email headers, you'll find the recipient's email server received the message from a Unified Layer IP address at 67.222.39.168. The attached Word document is the only malicious part of the message. ![]() Links in the email all went to the appropriate eFax URLs. (You know who you are!)ÄĞelow is a screenshot from the malspam example Wayne sent us. Our thanks to Wayne who provided the sample. I like to document these, if only to remind people the spammers and botnets are still pushing out this sort of malware. From what I can tell, the malware we found is being used in other themed malspam campaigns, not just eFax-themed. It was just another Word document -> enable macros -> Pony downloader -> follow-up malware. But I haven't seen much Dridex since key players behind Citadel and Dridex were arrested in late August 2015 . Those eFax-themed malspam containing Word documents are not new, but the person submitting the example thought it might be Dridex. Earlier this week, someone sent the ISC an example of eFax-themed malspam with an attached Word document. ![]() Malicious spam (malspam) impersonating eFax is old news, yet we still occasionally see it. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |