Malware delivered via Necurs botnet by DDE feature in Microsoft Word — 4 Comments

  1. We have a client with cloud-based Barracuda ESS that got hit with this overnight. First thing this morning, our support box got blown up with “Is this spam?” emails from their employees. Ironically enough, everyone of the employees who emailed us to ask about it… opened the attachment. Each email was followed up 5-10 minutes later by a Webroot Threat Alert email for the terminal server with THEIR username listed… -_-

    We’re still waiting to hear back from Barracuda Support on why those emails weren’t blocked. However, header analysis shows that an unspecified error happened during SPF lookup:

    Received-SPF: error ( error in processing during lookup of NIL)

    The client’s SPF records are good and I find it very hard to believe that it’s a coincidence that the only emails in which this error occurred are from a targeted attack. Is it possible that the emails are also ‘exploiting’ something in the SPF check process in order to bypass email security? Perhaps something in the header? We’ll see what Barracuda has to say…

    • In my experience with this one barracuda cloud caught the majority of them, but a few still got through. Maybe they were new email addresses and the majority of the ones that were caught by them in my case were due to a “Barracuda Reputation” which means to me they have been used in a campaign before.

      • Yep, that’s what the logs look like. New bots that don’t have a reputation score didn’t get blocked. However most of those were “Rejected” because the recipient address was randomly generated or dictionary based and the Exchange server rejected it as “User does not exist.”

        So in order to get through, the emails had to be sent by unused bots AND had to be sent to users that actually exist. On that note… Executives and upper management seemed to be the only users that actually got the emails. This suggests that the actors pooled all of the fresh bots and saved them for higher-value targets.

        We heard back from Barracuda about the emails that got through. They were apparently experiencing an issue with the backend service that performs SPF record checks. This has since been resolved. Furthermore, they’ve updated their virus definitions to include this variation.

        We were getting ~5 emails per minute from 06:08 – 12:38 EST with this campaign.

Leave a Reply

Your email address will not be published. Required fields are marked *