File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:
JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.
The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.
Endpoint protections – normally all corporate organiations has it
Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.
I thought to start the new year with a blog with regards to spam from Australian Giants – Woolworths, JB HiFi, Flight Centre, Bunnings etc.
Although, we are on holidays, attackers/hackers are not. Holiday time is in fact very good time to target organisations as most of the staff are enjoying meals at home with their families while companies work with skeleton resources. Let’s analyse the emails. Following are the screenshots :
Above screenshot shows Australian Vendors.
Myer – Win a Myer voucher Sender : email@example.com
All emails have one country in common as sender – Germany.
Unsubscribing goes to PO Box 1960 #22445 Wilmington, DE 19899
The phishing attempt seems to be generic and concentrating on just getting private information from a user especially email addresses.
No attempts of malware dropping identified from the links.
Understand that organisations should be on a lookout for any usage of its Brand name to deceive users to provide personal information. As users trusts these organisations, it’s organisation’s responsibility to have proper brand monitoring placed or outsourced so phishing campaigns using their names can be identified and controlled.
Security awareness for all users is also important to make sure not click on unsolicited emails.
Received a interesting email yesterday from Mr. Gordon Hills from London who wanted me to be partner and 5 Million dollars will be released to me. Sometimes does feel like someone should give me money 🙂
The email seems to be a template and this could be a broadcast on the internet. Interesting to see that sender email is hidden. The technique is not new but still is being used. There are lot of anonymous email services that cane b used to do the same. Looked through the header and was able to find the originating IP as 18.104.22.168 – mail-ma1ind01hn0221.outbound.protection.outlook.com. The IP is blacklisted on multiple sites.
When we hit reply the email is suppose to go to firstname.lastname@example.org. From the header originating IP for the email is 22.214.171.124 which is again blacklisted in spamhaus.
The email has no attachments or URL. The attempt likely is to collect personal information for further follow-up campaign.
Malicious or spam emails are frequent but one of the best ways to get a system/host infected.
Recently I received an email from one of the Big 4 banks of Australia – Westpac.
Very first thing was I am not a customer so definitely it was a phishing scam.
Actual email is a bit unprofessional. The URL is ending with Bankingx. Email is coming from email@example.com. Looking at the email headers the originating IP address is 126.96.36.199. Email headers also shows the email came from IP 188.8.131.52. Geo location of both IP address is Kenya.
Emails – as we know is a very efficient way to communicate without physically visiting the intended recipients. Emails have been with us from many years and initial take for email was to reduce time and effort in communication.
But recently emails are being used for social engineering and phishing. Forget about the good old days where you were receiving emails only from known parties. Now even prince of Nigeria have your email and wants to give you money.
As an security researcher and a SOC analyst, have noticed that email communication is top and one of most used channel to transfer these malicious files. It’s like yelling name John in a crowd. Somebody will eventually respond.
Detecting suspicious emails ?
Language – typos and grammar will be there – sometimes they are not.
Sender domain – may have typo or a legitimate one.
Roll over you mouse to the embedded links in the email and you will see random site.
Attachment – names are too close or suspicious.
The best way to fight this is with user awareness. Emails exploit most vulnerable entity – HUMAN. A mind where curiosity inevitably kills the cat.
Attackers thrives on 2 human characteristics – FEAR and CURIOSITY.
FEAR – we have noticed a suspicious transaction on your account. Please click on this link to change the password.
CURIOSITY – sorry we have missed you and have a package waiting for you. Please open the attached file to get more information. There is package indeed but for your PC – malware I mean 🙂
Other ways to detect :
Mail gateways with proper monitoring
DLP – can be used to monitor the content of the email.