Comments

blank email Receipt malspam delivers locky thor version — 2 Comments

  1. The latest incarnations of malspam are all up to Microsoft being ‘clever’ and letting us embed things in Microsoft documents.
    It’s called OLE or Object Linking and Embedding. You can embed (or add) an image to a document. This creates the possibility of embedding bad things in documents. Microsoft should have limited this to nice things (pictures, sounds)… nice things
    Instead, these miscreants are embedding powershell scripts with .lnk file extensions that go and download Locky and run it, docx files with embedded doc files that were the same as the previous bad things, but there is a difference. The new ones are docx with embedded code. docx files are a zipped container. Zipping a file makes it inherently random at the binary level and harder to detect,
    I have been taking these things apart for a while now, and the antivirus companies seriously need to catch up.
    If you get a file in with any of these in the raw email data, consider screening it:
    Format is base64 and what it decodes to

    cy9vbGVPYmplY3QxLmJpbu
    s/oleObject1.bin

    Z3Mvb2xlT2JqZWN0MS5iaW7
    gs/oleObject1.bin

    L29sZU9iamVjdDEuYmlu
    /oleObject1.bin

    If you have no protection, this is a start. I am hoping the bad actors see this and stop trying this method.
    People with legitimate emails will embed stuff and this will flag up.
    I have sent all samples I have to Sophos, Kaspersky and virustotal. Let me know if you want me to send samples anywhere else.

Leave a Reply

Your email address will not be published. Required fields are marked *