image of breaking badness
Breaking Badness
Breaking Badness

31. Architects of Spamnation with Graham Cluley

Here are a few highlights from each article we discussed:

Malware Developers Attempt to Spread Something More Infections Than Laughter

  • This one was interesting because the political nature of the campaign wasn’t really highlighted in the initial phishing email at all. The email was purporting to be from Visa and was actually talking about cyber security, which I suppose is kind of ironic. The attachment was called “Security bank fraud” and tricked users into thinking it was tips about how to avoid the very types of attack the email was engaging in. If the user opened the document, the RTF file retrieves a malicious executable called “trump.exe.” From there, it looks like the malware downloaded is the CobInt/COOLPANTS (or similar variant) malware used by Cobalt Gang, a notorious cyber crime group.
  • The malspam campaign was one of the less political campaigns in the Talos blog post, in that only the executable was called “trump” and it didn’t have any photos or other political themes. But it’s still interesting they’d choose to name it after him, especially when the phishing email was related to financial fraud, not politics.
  • I think an interesting theme across these campaigns is actually the lack of advanced technical components involved. The second category Talos goes into detail about is “fake ransomware and screenlockers.” I think the fact that there were so many variants of “fake” ransomware that it deserved its own category is pretty telling. They show screenshots from a few variants that play on Trump or Putin themes, and all of them look dated as heck. And on top of that, they just plain don’t even work. One of them, for example, claims to encrypt all of your files like a traditional ransomware. However, as Talos notes, it was preceded by a negative number and did not encrypt anything. Another one simply removes the icons, taskbar, and task manager on the victim machine and displays the application window displayed above in full-screen mode. So these don’t appear to be APT-level threats.
  • There were a few politically-themed campaigns that dropped real malware, such as Konni RAT and PoisonIvy. However, in these cases, the malware itself isn’t what’s political. In both cases, the decoy file (an image, word doc, or excel doc) had a political theme, such as a photo of winking Putin or a document talking about Trump and North Korea.
  • All in all, none of these politically-motivated campaigns struck me as particularly advanced. However, it is worth it to note that advanced groups have used political themes in the past. For example, groups known to be associated with the Russian government have used political themes in their phishing campaigns before, such as a 2016 campaign using a Harvard email address sending an email with an attachment entitled “Why American Elections Are Flawed” that delivered malware.

I Smell a RAT: Spam Redirects To Deliver Malware

  • The delivery email itself was the first part of this charade and it was designed to look like a normal WebEx meeting invite. The similarities don’t stop there though. Once the victim clicks the link, it brings them to a site that looks similar to the legitimate Cisco site and downloads a webex.exe executable, which is exactly what a real WebEx meeting would do as well. Of course, the similarities end there, in that that executable is not the real WebEx and is instead malware.
  • Cisco should probably not allow for this kind of open redirect from their legitimate Cisco URL. Bleeping Computer brought up a good point that this kind of invalidates the age old advice for users to hover their mouse over the link before clicking, because in this instance hovering the mouse would reveal a legitimate URL. This definitely makes for a tricky phish, and makes it much more difficult for users to avoid infecting their machines.

Graham Cluley’s Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE. This week, we are playing the old fashioned game with Graham Cluley.

You’ll have to tune in to find out!

This Week’s Hoodie/Goodie Scale

Malware Developers Attempt to Spread Something More Infections Than Laughter

[Graham]: 2/10 Hoodies
[Emily]: 2/10 Hoodies

I Smell a RAT: Spam Redirects To Deliver Malware

[Graham]: 5/10 Hoodies
[Emily]: 4/10 Hoodies

Graham and Emily, thank you so much for taking the time to have this discussion. I appreciate your insights into the articles and cheeky two truths and a lie Be sure to tune into Smashing Security hosted by Graham Cluley and Carole Theriault.

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!