2016-10-03
Discovering new archiving methods... via malware
In the incoming spam this morning:See attached Bill Of Laden. [-- Attachment #2: Shipping_Documents.ace --]I had never heard of .ace files, but I miss some developments. So I asked:$ file Shipping_Documents.ace Shipping_Documents.ace: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solidSo it is an archiving format, better described at ACE (compression file format) - Wikipedia. There is an unace for linux, and this gave me:RFQ#0929919882.exe: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows c04e10a084657473828a03a97c82f0a9 RFQ#0929919882.exeWhich is obviously not shipping documents but an executable. Looking at the file showed some dangerous function names.