Received another suspicious email with a "Resumé" attachment just now.

No password version.

I renamed the file:

XXXXJohn Smith Resume.xls

Send it to VirusTotal. Only ONE engine of many detected this thing.


TACHYON == Trojan/XF.Downloader.Gen


I looked inside the file and noticed a few clues in the clear (but I obscured a few things here with #### so no one inadvertently clicks on a link):

C:\XTHbSJX\hQPDpQm\yNuMyDc.dl

http://march262020.####/files/bot.dll

URLDownloadToFileA

http://march262020.####/files/bot.dll

rundll32.exe,DllRegisterServer

http://march262020.####/files

CreateDirectory

ShellExecute

/bot.dll

Excel 4.0 Macros


Very telling! Seems to me, that the simplest infection mechanism can still find
an unsuspecting victim.

The domain reference above pointed to:

Source: whois.apnic.net (APNIC serves the Asia Pacific region)
IP Address: 170.106.11.8

But it arrived via Germany:

X-EN-OrigIP: 194.25.134.80 <== via RIPE
Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])
Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de

Sneaky buggers, eh?

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)

Re: another one phishing for a bite
By: August Abolins to All on Tue Mar 31 2020 22:02:01

(but I obscured a few things here with #### so no one inadvertently clicks

on a link):

just change http to hxxp or similar ;)


)\/(ark
--- SBBSecho 3.10-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)

Hello mark!

** 31.03.20 - 15:58, mark lewis wrote to August Abolins:

(but I obscured a few things here with #### so no one inadvertently
clicks on a link):

just change http to hxxp or similar ;)

Six or one half dozen of the other. :)

I actually contemplated obfuscating the http:// part, but obviously I
changed my mind.


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Re: another one phishing for a bite
By: August Abolins to mark lewis on Tue Mar 31 2020 16:59:00

(but I obscured a few things here with #### so no one inadvertently
clicks on a link):

just change http to hxxp or similar ;)

Six or one half dozen of the other. :)

not really because now others of us cannot look up that information and set blocks or filters in our IDS/IPS ;)

I actually contemplated obfuscating the http:// part, but obviously I changed my mind.

i guess... we cannot see that from here ;) LOL


)\/(ark
--- SBBSecho 3.10-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)

Hello mark!

** 31.03.20 - 18:30, mark lewis wrote to August Abolins:

(but I obscured a few things here with #### so no one inadvertently
clicks on a link):

just change http to hxxp or similar ;)

Six or one half dozen of the other. :)

not really because now others of us cannot look up that information and
set blocks or filters in our IDS/IPS ;)

Oh.. I see. Good point. But couldn't http://march262020.* work in a filter?

But, FYI, replace "####" with "club". No point keeping it a secret if
the goal is to help protect others.

BTW, although it is far easier to just drop the phishing email/attachment with the delete key, we can parse the file, extract the clear-text and
share the http:// strings found therein.

Obviously, the macro in the original .xls file relied on Excel functions
to run a macro to fetch a bot from a website and launch the payload.


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Re: another one phishing for a bite
By: August Abolins to mark lewis on Tue Mar 31 2020 20:33:00

not really because now others of us cannot look up that
information and set blocks or filters in our IDS/IPS ;)

Oh.. I see. Good point. But couldn't http://march262020.* work in a

filter?


that depends on the language used... IDS/IPS do not use DOS style... neither does clamav, dspam, or similar content scanners...

But, FYI, replace "####" with "club". No point keeping it a
secret if the goal is to help protect others.

thanks...

BTW, although it is far easier to just drop the phishing
email/attachment with the delete key, we can parse the file,
extract the clear-text and share the http:// strings found
therein.

or our content scanner can detect the byte sequences and pass or fail the item...

Obviously, the macro in the original .xls file relied on Excel
functions to run a macro to fetch a bot from a website and launch
the payload.

yep... this is why the setting to allow macros and/or executing startup macros should be OFF these days...


)\/(ark
--- SBBSecho 3.10-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)

On 01/04/2020 9:36 a.m., mark lewis : August Abolins wrote:

 AA>> Obviously, the macro in the original .xls file relied on Excel
 AA>> functions to run a macro to fetch a bot from a website and launch
 AA>> the payload.

yep... this is why the setting to allow macros and/or executing startup macros should be OFF these days...

OFF seems to the default in Excel 2007:

[+] Disable all macros except digitally signed macros This setting is the same as the Disable all macros with notification option, except that if the macro is digitally signed by a trusted publisher, the macro can run if you have already trusted the publisher. If you have not trusted the publisher, you are notified. That way, you can choose to enable those signed macros or trust the publisher. All unsigned macros are disabled without notification.

I wonder what the setting is for newer editions of the Office progs. Maybe the ..bot kiddies are targeting a version that allows full functionality unless disabled. Sneaky buggers.

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)

Re: another one phishing for a bite
By: August Abolins to All on Tue Mar 31 2020 10:02 pm

Good job. I love doing that on the rare occasion I get an attachment. with xls I like to save them as zip files, then extract the components and dig around. It's silly simple how some of these trojans work.

We don't usually see them at work since I administer our content analysis system and it soaks everything up.
Daniel Traechin
--- SBBSecho 3.10-Win32
* Origin: Digital Distortion: digdist.synchro.net (1:340/7)

Hello Daniel!

** 07.04.20 - 00:03, Daniel wrote to August Abolins:

Good job. I love doing that on the rare occasion I get an attachment. with
xls I like to save them as zip files, then extract the components and dig
around. It's silly simple how some of these trojans work.

I think the originators deserve a reciprocation of their own medicine.

I have toyed with the idea of replying to the ones that request payment,
and just send back a message that says, details of payment "are ENCLOSED
in the attachment. Password is the same as you provided: 1234" ..and send back the file.

Many of these emails are so stupid. I despise those things. There should
be a away to block them right at the ISP/server side. I would rather not have them delivered to my mailbox in the first place. Why can't ISP's
block certain ip addresses right on the spot?

For example, I just received another blatantly stupid email:

====[begin]====

National Publication & Community of Professionals


Dear Valued Candidate,

Congratulations! You have been nominated for a spot in the 2020
Professional Who's Who publication. Starting the New Year with this level
of recognition, branding, and respect will help improve and accelerate
your career.

Please click here to update your professional profile.

<h##p://
www.landchimney.icu/ngciwnnkm/sxbrsa299506ffche/ DSEUPz2Pi5NzueG4_Al7eVyhpwSnBCBbwg5Ajju-YVw/ IQ8F8MJNPbbBwAj8KFO4xAi1FSWVS5ATDaZwBDpKL- aLTdGHchtIyBOogxjmk_Z2bga5uenmVAmLSc5WCCMlK_CtaiD8hE4m48AGRM91zfMqWEToT2aR 0JiVf9BTrc2c>

Include all your credentials and accomplishments. We want
to be sure we have the most accurate information for our publication team.

====[end]====

Part of the message header is:

Return-Path: <incidents@landchimney.icu>
Delivery-date: Tue, 07 Apr 2020 11:18:35 -0400
Received: from landchimney.icu ([93.177.102.132])
X-EN-OrigIP: 93.177.102.132
From: " Dorothy" <incidents@landchimney.icu>
Date: Tue, 07 Apr 2020 10:14:22 -0500
Subject: "Final steps" to your application approval!


It would be ideal to simply filter 93.177.*.* to the bit-bucket and leave
my own email program alone. I simply hate having to waste my own data
quota to even deal with them.

We don't usually see them at work since I administer our content analysis
system and it soaks everything up.

If I could automate a bit-bucket request to my ISP to "soak up"
93.177.*.*, that would be something useful for our computers to do.


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Hi August!

07 Apr 2020 20:14, from August Abolins -> Daniel:

I think the originators deserve a reciprocation of their own medicine.

I have toyed with the idea of replying to the ones that request
payment, and just send back a message that says, details of payment
"are ENCLOSED in the attachment. Password is the same as you
provided: 1234" ..and send back the file.

And what should that do??
THEY know what they are doing.
THEY can deal with it nicely.

This is much better, and funnier:
https://www.youtube.com/watch?v=_QdPW8JrYzQ

Many of these emails are so stupid. I despise those things. There
should be a away to block them right at the ISP/server side. I would rather not have them delivered to my mailbox in the first place. Why can't ISP's block certain ip addresses right on the spot?

On what basis should they do so??

But there is a really easy and extremely effective way!
Greylisting.

It is extremely simple, and since I use it the spam mails dissappeared.

It simply refuses the first delivery of the mail.
The RFC says you need to retry, but the spambots never do.
In effect that gets rid of them.
The price you pay is a slight delay for every mail that you receive from a new address.

The other/additional method is to set up SpamAssassin.
It scores the mail and if the score is too high it does not accept it.
But it is much more complicated to set up and maintain.

CU, Ricsi

... All I ask is a chance to prove that money can't make me happy.
--- GoldED+/LNX
* Origin: Don't cloud the issue with logic. (2:310/31)

Re: another one phishing for a bite
By: August Abolins to Daniel on Tue Apr 07 2020 08:14 pm

Many of these emails are so stupid. I despise those things. There should
be a away to block them right at the ISP/server side. I would rather not have them delivered to my mailbox in the first place. Why can't ISP's
block certain ip addresses right on the spot?

I've spent quite a bit of my career in information security. Problem is, alot of them use SMTP services that have been maliciously taken over and used to spend phishing and spam campaigns. The community tends to blacklist them and work with the owners to clean their servers and lock them down.

Many of these servers are used for legitimate business and can impact other people. So, alot of ISP's don't block them for that reason.

I host my own mail server, so I subscribe to black hole lists. They keep updated listings of malicious services and remove them when clean. If my server receives an email from it, I never get it.

At my work, whenever I verify a spam campaign is hitting our employees, I send the email to our mail admins and they create filters.

That way, the emails are caught by content and then blocked. Then, you're not blocking legitimate emails.

Daniel Traechin
--- SBBSecho 3.10-Win32
* Origin: Digital Distortion: digdist.synchro.net (1:340/7)

Hello Daniel!

** 07.04.20 - 00:03, Daniel wrote to August Abolins:

Good job. I love doing that on the rare occasion I get an attachment. with
xls I like to save them as zip files, then extract the components and dig
around. It's silly simple how some of these trojans work.

I just received one that VirusTotal nor my local scanner detect any fault with.

But the email is:

Hey,
I'm James Smith and I'm interested in a position at your company.
I think I would be a wonderful to your company.
I've added a copy of my resume.


Thank you!

--
James Smith

And the attached file is: James Smith Resume.xls (169kb)

A binary look at it doesn't reveal any clues at all. The vast majority of the chars are totally non-ascii.

The salient parts of the header are:

Received: from o3.2e.shared.sendgrid.net ([50.31.60.24])
X-EN-OrigIP: 50.31.60.24
Received: from t-online.de (unknown)
From: "James Smith" <63@jdscentral.com>
Subject: Job
Message-ID: <4269CC6C.3461899@jdscentral.com>
Date: Thu, 09 Apr 2020 11:15:42 +0000 (UTC)
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
Thunderbird/38.0.0

Meanwhile, I discovered https://www.joesandbox.com/ Looks impressive.
Does anyone here use that?

../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Hello Richard!

** 08.04.20 - 08:07, Richard Menedetter wrote to August Abolins:

I have toyed with the idea of replying to the ones that request
payment, and just send back a message..

And what should that do??

Maybe start to annoy THEM?

THEY know what they are doing.

I imagine that they might just have a stupid "clerk" who just might be clueless enough to click.

THEY can deal with it nicely.

Yes.. most of this stuff is automated. Mass deliveries of these emails and then when activated by the payload, more automation takes over. I know.. it's just robot waiting for robot.

This is much better, and funnier:
https://www.youtube.com/watch?v=_QdPW8JrYzQ

I remember seeing that several years ago. It was fun to see it again. Meanwhile another one of his that deals with "Unsubscribe". It's worth looking up if YT doesn't already queue it up in the side panel.

Things like that do help to snuff out the fire of frustration that builds
up in me.

One thing for sure.. the spammers have succeeded in spawning a market to document these "adventures" by people who then capitalize on the rewards
that YT provides. What's the pay-out from YT these days? $1000 per
million hits. $100 per 100,000 hits?

The one called "More adventures in replying to scam.." by the same fellow seems even funnier. It has a great finale!

I can relate when he says that "part of me just wants to annoy THEM as
much as they annoy US."

This one by another fellow is pretty good too:


"OK - Let's Tell The Scammer I Already Have The Money"

https://www.youtube.com/watch?v=9eYdGGfObKk

Many of these emails are so stupid. I despise those things. There
should be a away to block them right at the ISP/server side. I would
rather not have them delivered to my mailbox in the first place. Why
can't ISP's block certain ip addresses right on the spot?

On what basis should they do so??

Invasion of privacy for one thing.

How long would you tolerate someone knocking at your door to talk to you after you've told them to go away? And then they would just continue.

How long would you tolerate someone pricking you with a pin at the back of your neck after you've told them to stop coming near you?

Many other examples, but privacy is the salient point.

But there is a really easy and extremely effective way!
Greylisting.

It simply refuses the first delivery of the mail...

Very nice. Perhaps some isps already implement that without my knowing.
But sadly, the odd spam still slips through?

The other/additional method is to set up SpamAssassin.
It scores the mail and if the score is too high it does not accept it.
But it is much more complicated to set up and maintain.

That one sounds very familiar. Good to know that there are solutions that ISPs can implement. But whatever is being done, is not good enough.


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Hi August!

09 Apr 2020 10:31, from August Abolins -> Richard Menedetter:

I have toyed with the idea of replying to the ones that request
payment, and just send back a message..

And what should that do??

Maybe start to annoy THEM?

Nope :)

This is much better, and funnier:
https://www.youtube.com/watch?v=_QdPW8JrYzQ

I remember seeing that several years ago. It was fun to see it again.

This one has nothing to do with spam, but I think it is quit funny: https://www.youtube.com/watch?v=f5d8pVg3Qtg

How long would you tolerate someone pricking you with a pin at the
back of your neck after you've told them to stop coming near you?

Just use greylisting and/or a baysian spam filter

The other/additional method is to set up SpamAssassin.
It scores the mail and if the score is too high it does not accept
it. But it is much more complicated to set up and maintain.

That one sounds very familiar. Good to know that there are solutions
that ISPs can implement. But whatever is being done, is not good
enough.

Change your mail provider :)

CU, Ricsi

... My Chili recipe is in violation of the nuclear proliferation treaty.
--- GoldED+/LNX
* Origin: If you can't make it work, make a statistic of it. (2:310/31)

Hello Richard!

** 09.04.20 - 19:20, Richard Menedetter wrote to August Abolins:

This one has nothing to do with spam, but I think it is quit funny:
https://www.youtube.com/watch?v=f5d8pVg3Qtg

Getting "Video unavailable - The uploader has not made this video
available in your country."


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Hello Richard!

** 09.04.20 - 19:20, Richard Menedetter wrote to August Abolins:

Maybe start to annoy THEM?

Nope :)

"Annoy" them back is truly the best approach. This guy is hilarious:

"Telephone spam_scam problem_ Bring in the robots. _ Roger Anderson _ TEDxNaperville"

https://www.youtube.com/watch?v=UXVJ4JQ3SUw

Too funny!

The phone service he mentions at the end sounds like fun to give a try.

I had an uncle who tackled these things with humour and style. "Thank you
for calling. I don't get out very much. Do you get out much? I'd love to tell you about my aunt in the old country..." ..and he would just keep talking or tell a story.

I do something similar, but instead of talking, I just tell them I need to check the door.. or that I have a call coming in on the other line.. and I place the caller on hold. There are long periods when the phone is wonderfully free of telemarketers. But when they reoccur, a polite
"Please hold" routine seems to start reducing them again.

That one sounds very familiar. Good to know that there are solutions
that ISPs can implement. But whatever is being done, is not good
enough.

Change your mail provider :)

Most of them seem to get "caught" and moved to the Junk folder on the ISP webmail side. With basic pop/smtp I don't get bothered by the Junk folder contents. But when I occassionally require to use the webmail login,
there is a great satisfaction to delete the Junk folder in bulk.


../|ug

--- OpenXP 5.0.43
* Origin: /|ug's Point, Ont. CANADA (2:221/1.58)

Re: another one phishing for a bite
By: August Abolins to Richard Menedetter on Thu Apr 09 2020 16:21:00

This one has nothing to do with spam, but I think it is quit funny:
https://www.youtube.com/watch?v=f5d8pVg3Qtg

Getting "Video unavailable - The uploader has not made this video available in your country."

it is a vid from Conan, the night time TV talk show guy with red hair... it loads fine here... it should load fine for you up there in canada... at least, that's where you were the last i recall... i think... maybe...


)\/(ark
--- SBBSecho 3.10-Linux
* Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)

Hi August!

09 Apr 2020 16:21, from August Abolins -> Richard Menedetter:

This one has nothing to do with spam, but I think it is quit
funny:
https://www.youtube.com/watch?v=f5d8pVg3Qtg

Getting "Video unavailable - The uploader has not made this video available in your country."

It is called "James Veitch Is A Terrible Roommate".
Maybe you can find it somewhere.

CU, Ricsi

... I took up exercising so that I could hear heavy breathing again.
--- GoldED+/LNX
* Origin: If plugging it in doesn't help, turn it on. (2:310/31)

Re: another one phishing for a bite
By: August Abolins to Daniel on Thu Apr 09 2020 09:20 am

I use nxtoolbox to have it pick apart the header. If the xls didn't have anything in it and if virustotal didn't detect anything, it's no guarantee it's clean either. The email address in the header is fake as hell.

Daniel Traechin
--- SBBSecho 3.10-Win32
* Origin: Digital Distortion: digdist.synchro.net (1:340/7)

On 09/04/2020 6:42 p.m., mark lewis : August Abolins wrote:

https://www.youtube.com/watch?v=f5d8pVg3Qtg

Getting "Video unavailable - The uploader has not made this
video available in your country."

it is a vid from Conan, the night time TV talk show guy with red
hair... it loads fine here... it should load fine for you up
there in canada... at least, that's where you were the last i
recall... i think... maybe...

:)

Physically in Canada (at this time), but hopping bitwise between Italy, Finland,
and Australia too much? :( I can get confused.

I've seen a few other JV's videos. I get the jist. Good for him to have monetized his adventures with YT.



--
Quoted with Reformator/Quoter. Info = https://tinyurl.com/sxnhuxc

--- TB68.4.1/Win7
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)