Tuesday, 12 November 2013

"Important - New Outlook Settings" spam / Outlook.zip

This spam email has a malicious attachment:

Date:      Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From:      Undisclosed Recipients
Subject:      Important - New Outlook Settings

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. 
The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that).

Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.

The detection rate at VirusTotal is 5/45. Automated analysis tools [1] [2] show an attempted connection to dchamt.com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean.

3 comments:

Bobbentbike said...

You may have to be daft to include an encryption key in the same message with the encrypted attachment, but that was good enough to thwart our email filter which has a rule to throw away any executable attachment, even in a zip. Our filter did tag the subject line with a caution alert.

Conrad Longmore said...

@Bobbentbike: spam filters vary widely, but they should be able to see the .exe extension in the ZIP catalog even if it is encrypted. Sometimes these things can be tweaked a little.

Grace said...

I work in IT and we had a user download and install the executable file. Does anyone have information on what happens if they do?