2016-03-14
High numbers of e-mails trying to infect systems
The attempts to infect systems via malicous javascript in e-mail are quite high at the moment, all trying to fake some urgency to make me open it without checking. Some recent samples:Your credit card has been billed for $187,11. For the details about this transac tion, please see the ID: 12824622-12824622 transaction report attached. NOTE: This is the automatically generated message. Please, do not reply.With:Archive: /tmp/statistic_12824622.zip Length Date Time Name --------- ---------- ----- ---- 4055 2016-03-14 13:44 finance_LutQLF.js --------- -------Or this attempt at creating urgency:Dear Citizen, We are contacting you on behalf of a local Traffic Violation Bureau. Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 38430 Unfortunately, we will have no other option rather than passing this case to the local police authorities. Please, see the report with the documents proofs attached for more information on this case.Archive: /tmp/report_29613630.zip Length Date Time Name --------- ---------- ----- ---- 4055 2016-03-14 13:44 accent_VvMFoz.js --------- -------And some mix of a standard message in some system with a company disclaimer:Your message is ready to be sent with the following file or link attachments: IMG_1414 Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. Please consider the environment before printing this email. E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this e-mail by anyone else is unauthorized.Or this try:Our finance department has processed your payment, unfortunately it has been declined. Please, double check the information provided in the invoice (attached to this mail) and confirm your details. Thank you for understanding. Fermin Paul Project ManagerFrom: ********@clicktravel.comWith
Subject: Itinerary #A3E2719
Date: Tue, 15 Mar 2016 12:21:01 -0200
Please see document attachedArchive: /tmp/Hotel-Fax-V004X3R8_4983252052512314320.zip Length Date Time Name --------- ---------- ----- ---- 6994 2016-03-15 18:01 UMC7869178910.js --------- ------- 6994 1 fileWhich looks like somewhat readable javascript but is quite obfuscated when I try to find out what it does:RXPBqXKexc = " if ( result == null ) { return operator === \"!=\"; } if ( !operator ) { return true; "; mowSJrO.splice(7, italianoI + 2); errol = mowSJrO[3 * 5 - 3 * 3].split("princeton").join(""); var SsDEwXL = this[errol]; cvVwbXTvf = "UjAVgFt";Update: No real surprise: it is all Locky ransomware being spammed, according to Massive Volume of Ransomware Downloaders being Spammed - trustwave and other sources.