Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event.
Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign.
Email Message
The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out. First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further.
However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand.
Second, the attackers are using a similar color scheme to the one used by Microsoft.
Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email.
Lastly, there are a couple other interesting techniques used by attackers to make the message appear authentic. One is the inclusion of a disclaimer message that looks similar to the one a user would receive from an email directly from Microsoft.
The other is a key piece of information added by adversaries that users are becoming more accustomed to seeing: an indication that the message attachment has been scanned by antivirus and appears to be a legitimate file.
This message links to a legitimate open source email filter and will trick some users into thinking the attachment is not malware.
Payload
Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:
The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.
Source and full report:
http://blogs.cisco.com/security/talos/ctb-locker-win10
Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign.
Email Message
The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out. First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further.
However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand.
Second, the attackers are using a similar color scheme to the one used by Microsoft.
Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email.
Lastly, there are a couple other interesting techniques used by attackers to make the message appear authentic. One is the inclusion of a disclaimer message that looks similar to the one a user would receive from an email directly from Microsoft.
The other is a key piece of information added by adversaries that users are becoming more accustomed to seeing: an indication that the message attachment has been scanned by antivirus and appears to be a legitimate file.
This message links to a legitimate open source email filter and will trick some users into thinking the attachment is not malware.
Payload
Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:
The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk.
Source and full report:
http://blogs.cisco.com/security/talos/ctb-locker-win10
