malicious email campaign ?

If it doesn't relate to Debian, but you still want to share it, please do it here

malicious email campaign ?

Postby GarryRicketson » 2017-04-02 14:16

It is hard to believe anybody would fall for the e-mails and actually
open the attachment.

https://www.bleepingcomputer.com/news/security/github-users-targeted-with-dimnie-trojan/

Disclaimer: I have no idea how accurate the article is, but just thought
it might be of interest, since we do have quite a few members here that
do use github and windows.
Last edited by GarryRicketson on 2017-04-04 18:06, edited 1 time in total.
User avatar
GarryRicketson
 
Posts: 3758
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: malicious email campaign ?

Postby dasein » 2017-04-02 14:47

Even if it's entirely accurate, it's describing a self-extracting zip file that executes PowerShell commands via MS Word macros. (Specific to Windows, inert in Linux.)
User avatar
dasein
 
Posts: 7261
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: malicious email campaign ?

Postby millpond » 2017-04-04 17:06

What I find even more amazing is that there are github developers who do not disable macros in Word, if they use Win at all.

Even more incredible is anyone opening an SFX...
(On purpose!!!!)
millpond
 
Posts: 581
Joined: 2014-06-25 04:56

Re: malicious email campaign ?

Postby GarryRicketson » 2017-04-04 17:27

In any event, since we do have a lot of members that still use windows, and also use github, it is something they should be aware of.
To be carefull.
User avatar
GarryRicketson
 
Posts: 3758
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: malicious email campaign ?

Postby debiman » 2017-04-04 17:48

why is this even newsworthy?
fake recruitement emails with malware aren't exactly a new idea.
so some scammer thought, hmm, let's try github users, promise them a coding job, sure they will open the attachment (harharhar)! :facepalm:
User avatar
debiman
 
Posts: 826
Joined: 2013-03-12 07:18

Re: malicious email campaign ?

Postby GarryRicketson » 2017-04-04 18:04

Your right it isn't really "news" in that sense, as for "news worthy",..I don't know,..
I suppose that depnds entirely what interests one has,..I mean to some people
the only "news worthy" news is the latest sport results, others , well other events,..
I am glad you find it humorous, and get a laugh, out of it,..it is kind of funny,
I don't use windows, so it really is a non issue to me, but felt like sharing it
with others,..
Here : https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/
I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)
Update

As soon as I published this post I checked my inbox and there was another one...
Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.


So any way, thanks for the responses, and good to see some one is getting
a laugh out of it.
User avatar
GarryRicketson
 
Posts: 3758
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: malicious email campaign ?

Postby pendrachken » 2017-04-10 01:51

millpond wrote:What I find even more amazing is that there are github developers who do not disable macros in Word, if they use Win at all.

Even more incredible is anyone opening an SFX...
(On purpose!!!!)



I haven't used anything with macros in word in... forever, but I think you also have to exclusively enable them through a dialog that warns you that it is probably a really, very, totally bad idea. Oh, and that is after Word has to be exclusively taken out of read only mode for downloaded files ( don't know 100% if this is needed for files that were zipped ).
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P
pendrachken
 
Posts: 1242
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: malicious email campaign ?

Postby millpond » 2017-04-13 03:42

The real threat these days is the PDF format. It too has macros, and some hacker sites have been selling scripts that claim to pwn(backdoor) systems that open them. Foxit automatically disables the macros, but it makes it inconvenient for texts where references are clickable links that expedite learning material.

The Mozilla based email clients blow chunks. There is a whole bunch of addons, and nothing that i could find to disable scripting. Adblockers galore, but nothing resembling No-Script. Plus I have site explicitly labelled as DELETE that icedove insists on displaying. There really needs to be utilities that parse the email chache and blacklist the sender of any boogers, or warn if alreadty in contact list. And then delete the offending messages. Havoc can still be wrought with only user level accounts, and python,perl, and java are platform agnostic.

Probably the only safe email these days is to run Forte Agent with html and attachments turned *off*. Or else run thunderbird in a VM.
millpond
 
Posts: 581
Joined: 2014-06-25 04:56

Re: malicious email campaign ?

Postby debiman » 2017-04-13 07:51

millpond wrote:The real threat these days is the PDF format. It too has macros

i heard about these, but i thought that was a particularly gruesome detail of a past that even windows users have put behind them?
do linux pdf viewers even support macro execution? or how else could this even do any harm on a linux system?
User avatar
debiman
 
Posts: 826
Joined: 2013-03-12 07:18

Re: malicious email campaign ?

Postby millpond » 2017-04-16 06:28

Here is how it is done with Win:
https://blog.didierstevens.com/2010/03/ ... -from-pdf/

It functions by calling cmd.

While bash scripts i believe must be set to executable 'x' to run, this is not necessarily true for script languages.

In my user account i can have 'perl ./foo.pl' execute foo.pl without execute permissions.

now what if foo.pl contained :
system (rm -rf ~) ????

In reality it can contain a wget command, and run another perl script. (or Python, as its the most used hacker language).

The only real advantage of a user level file access is that the damage is contained to the user account by a malicious script.

However the problem is that so many utilities and programs these days are confined to the user accounts. Which is a major problem, IMHO.

Personally I do not keep valuable data in my user account. Its expendable by design.
millpond
 
Posts: 581
Joined: 2014-06-25 04:56


Return to Offtopic

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable