{"id":16553,"date":"2022-07-06T16:54:09","date_gmt":"2022-07-06T16:54:09","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?page_id=16553"},"modified":"2023-04-06T09:49:42","modified_gmt":"2023-04-06T09:49:42","slug":"tracking-documents-cmsharpscan-word-doc-malware-locky-ransomware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/tracking-documents-cmsharpscan-word-doc-malware-locky-ransomware\/","title":{"rendered":"Tracking Documents Cmsharpscan \u2013 Word Doc Malware -locky Ransomware"},"content":{"rendered":"
An email with the subject of\u00a0tracking documents pretending to come from\u00a0\u00a0cmsharpscan3175@gmail.com <cmsharpscan6395@gmail.com> with a malicious word doc or Excel XLS spreadsheet attachment\u00a0 is another one from the current bot runs which try to download various Trojans and\u00a0password stealers especially banking Trojans like Dridex or Dyreza and ransomware like cryptolocker or Teslacrypt.<\/p>\n
They are using email addresses and subjects that will scare or\u00a0entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
The email looks like:<\/p>\n
From<\/strong>: cmsharpscan3175@gmail.com <cmsharpscan6395@gmail.com><\/p>\n Date<\/strong>: Wed 17\/02\/2016 12:39<\/p>\n Subject<\/strong>: tracking documents<\/p>\n Attachment<\/strong>: cmsharpscan@gmail.com_20160217_132046.docm<\/p>\n Body content<\/strong>:<\/p>\n Reply to:\u00a0cmsharpscan@gmail.com<\/u>\u00a0<cmsharpscan@gmail.com<\/u>><\/p>\n Device Name: Not Set<\/p>\n Device Model: MX-2640N<\/p>\n Location: Not Set<\/p>\n File Format: DOC (Medium)<\/p>\n Resolution: 200dpi x 200dpi<\/p>\n Attached file is scanned image in DOC format.<\/p>\n <\/p><\/blockquote>\n Screenshot<\/strong>: NONE<\/p>\n <\/p>\n You can now send any suspicious files for examination by the antivirus companies via\u00a0our submission system<\/u><\/p>\n 25 February 2016\u00a0:\u00a0cmsharpscan@gmail.com_20160217_132046.docm \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current Virus total detections:\u00a0\u00a0MALWR\u00a0shows us connections to several sites where Locky ransomware is delivered and info sent back .\u00a0http:\/\/olvikt.freedomain.thehost.com.ua\/admin\/js\/7623dh3f.exe<\/strong>\u00a0(\u00a0VirusTotal)<\/p>\n Previous campaigns over the last few weeks have delivered\u00a05 or 6 and quite often up to 10 or 12 \u00a0different versions, some with word doc attachments and some with Excel xls attachments. There are\u00a0frequently 5 or 6 download locations all\u00a0delivering exactly\u00a0the same malware. Dridex does update at frequent intervals during the day, so you might get a different version of this nasty banking and password stealer Trojan.<\/p>\n All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won\u2019t.\u00a0\u00a0Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found<\/strong>\u00a0<\/span>.\u00a0 The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet\u00a0with either a\u00a0macro script or\u00a0 an embedded OLE object that when run will infect you.<\/p>\n Modern versions of Microsoft office, that is Office 2010, 2013, 2016\u00a0and Office 365\u00a0should be automatically set to higher security to protect you.<\/p>\n By default\u00a0protected view<\/u>\u00a0is enabled and\u00a0\u00a0macros are disabled, UNLESS you or your company have enabled them.\u00a0 If\u00a0protected view\u00a0mode is turned off and macros are enabled then\u00a0opening this malicious word document will infect you, and simply previewing it in\u00a0 windows explorer or your email client might well be enough to infect you.\u00a0Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content<\/strong>.<\/p>\n Most of these malicious word documents either appear to be totally blank or look something like these images when opened in\u00a0protected view\u00a0mode, which should be the default in Office 2010, 2013, 2016 \u00a0and 365.\u00a0 Some\u00a0versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content.\u00a0\u00a0Do NOT enable Macros or editing under any circumstances<\/strong>.\u00a0<\/span><\/p>\n\n