Last Updated: 2016-08-23 12:21:59 UTC
by Xavier Mertens (Version: 1)
Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications.
Here is an example displayed in Microsoft Outlook:
Today, I received a wave of emails like the following:
From: firstname.lastname@example.org To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25 Dear [ redacted]:There is a message for you from 01422520472, on 2016/08/23 15:55:25 . You might want to check it when you get a chance.Thanks!
The sender is spoofed with the victim domain name. The following file was attached to the message:
$ unzip Message_from_01422520472.wav.zip Archive: Message_from_01422520472.wav.zip testing: 197577509502.wsf OK No errors detected in compressed data of Message_from_01422520472.wav.zip. $ md5sum 197577509502.wsf f2ee33a688a45b161d3191693196cb1d 197577509502.wsf
Note the '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)
Vigor is UK company building ADSL residential modems. This tends to think that the new wave is targeting residential customers.
Here are the C2 servers (for your IDS):
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant