Debian User Forums

It is hard to believe anybody would fall for the e-mails and actually
open the attachment.

https://www.bleepingcomputer.com/news/s ... ie-trojan/

Disclaimer: I have no idea how accurate the article is, but just thought
it might be of interest, since we do have quite a few members here that
do use github and windows.

Even if it's entirely accurate, it's describing a self-extracting zip file that executes PowerShell commands via MS Word macros. (Specific to Windows, inert in Linux.)

What I find even more amazing is that there are github developers who do not disable macros in Word, if they use Win at all.

Even more incredible is anyone opening an SFX...
(On purpose!!!!)

In any event, since we do have a lot of members that still use windows, and also use github, it is something they should be aware of.
To be carefull.

why is this even newsworthy?
fake recruitement emails with malware aren't exactly a new idea.
so some scammer thought, hmm, let's try github users, promise them a coding job, sure they will open the attachment (harharhar)! :facepalm:

Your right it isn't really "news" in that sense, as for "news worthy",..I don't know,..
I suppose that depnds entirely what interests one has,..I mean to some people
the only "news worthy" news is the latest sport results, others , well other events,..
I am glad you find it humorous, and get a laugh, out of it,..it is kind of funny,
I don't use windows, so it really is a non issue to me, but felt like sharing it
with others,..
Here : https://hackademix.net/2017/01/27/targe ... evelopers/

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless
Update

As soon as I published this post I checked my inbox and there was another one...
Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.

So any way, thanks for the responses, and good to see some one is getting
a laugh out of it.

millpond wrote:What I find even more amazing is that there are github developers who do not disable macros in Word, if they use Win at all.

Even more incredible is anyone opening an SFX...
(On purpose!!!!)

I haven't used anything with macros in word in... forever, but I think you also have to exclusively enable them through a dialog that warns you that it is probably a really, very, totally bad idea. Oh, and that is after Word has to be exclusively taken out of read only mode for downloaded files ( don't know 100% if this is needed for files that were zipped ).

The real threat these days is the PDF format. It too has macros, and some hacker sites have been selling scripts that claim to pwn(backdoor) systems that open them. Foxit automatically disables the macros, but it makes it inconvenient for texts where references are clickable links that expedite learning material.

The Mozilla based email clients blow chunks. There is a whole bunch of addons, and nothing that i could find to disable scripting. Adblockers galore, but nothing resembling No-Script. Plus I have site explicitly labelled as DELETE that icedove insists on displaying. There really needs to be utilities that parse the email chache and blacklist the sender of any boogers, or warn if alreadty in contact list. And then delete the offending messages. Havoc can still be wrought with only user level accounts, and python,perl, and java are platform agnostic.

Probably the only safe email these days is to run Forte Agent with html and attachments turned *off*. Or else run thunderbird in a VM.

millpond wrote:The real threat these days is the PDF format. It too has macros

i heard about these, but i thought that was a particularly gruesome detail of a past that even windows users have put behind them?
do linux pdf viewers even support macro execution? or how else could this even do any harm on a linux system?

Here is how it is done with Win:
https://blog.didierstevens.com/2010/03/ ... -from-pdf/

It functions by calling cmd.

While bash scripts i believe must be set to executable 'x' to run, this is not necessarily true for script languages.

In my user account i can have 'perl ./foo.pl' execute foo.pl without execute permissions.

now what if foo.pl contained :
system (rm -rf ~) ????

In reality it can contain a wget command, and run another perl script. (or Python, as its the most used hacker language).

The only real advantage of a user level file access is that the damage is contained to the user account by a malicious script.

However the problem is that so many utilities and programs these days are confined to the user accounts. Which is a major problem, IMHO.

Personally I do not keep valuable data in my user account. Its expendable by design.