Malware via Email


I can tell just by looking what kind of malware this is likely to be.

I imagine that many people don’t look forward to getting malware on their machines, but I do. It’s great – as a person who fights this sort of thing on a regular basis, the “enemy” is kind enough to regularly send information on what they’re doing, complete with “weaponized” samples for analysis.

This one didn’t get caught as spam, which of course it wouldn’t since it’s addressed to a legitimate address .(I have a catchall, so anything to that domain will go to my main address — it’s how I set up all my emails for this reason.) It also doesn’t contain any text, so there’s nothing to do Bayesian or other filtering on, which means SpamAssassin (which is enabled on the mail server) can’t operate. The subject is one word and legitimate, so it made it into my Inbox.

The Document itself is fairly nasty. Obviously you can see that Mailmate (the best email programme for Mac by far) shows that it’s an MS Word document with an enabled macro. Immediately people should recognise this as malware, as macros can be used to do all sorts of things. This is what the Blue Coat Malware Analysis appliance shows it to be doing:


We get all this information in just sixty seconds!

Blue Coat already knows the file to be malicious; that makes sense, considering how many web requests we see every day and the likelihood that others got this file (particularly in Eastern timezones) before I did. When the file runs, it attempts to connect to command and control, and also attempts to delete the Windows Shadow Copies, which is a common trick that malware uses before it then encrypts personal files for ransom. (This is likely one of the cryptolocker or associated variants, but I’ve not take the time to find out which.) Of course, there’s also the macro element, which is found and picked up immediately too.

I’ve been examining in my second book – (sign up to preview here!) why it certain things in cybersecurity can be difficult, but when your opponents send you their handiwork, that’s not one of them!