Hi there,
This morning an attempt was made by Digitalocean IP 143.110.237.196 to
send to us a message which contains two malicious attachments. The two
attachments are almost identical:
8<----------------------------------------------------------------------
$ atool -l AWB\ #\ 5763190392.DOC.zip
Archive: AWB # 5763190392.DOC.zip
Length Date Time Name
--------- ---------- ----- ----
729600 2022-09-06 02:27 AWB # 5763190392.DOC.exe
--------- -------
729600 1 file
$ atool -l MFT_5763190392.DOCS.zip
Archive: MFT_5763190392.DOCS.zip
Length Date Time Name
--------- ---------- ----- ----
729600 2022-09-06 02:27 MFT_5763190392.DOCS.exe
--------- -------
729600 1 file
8<----------------------------------------------------------------------
Both are .ZIP archives containing PE32 executables:
8<----------------------------------------------------------------------
$ file AWB\ #\ 5763190392.DOC.zip
AWB # 5763190392.DOC.zip: Zip archive data, at least v2.0 to extract
$ unzip AWB\ #\ 5763190392.DOC.zip
Archive: AWB # 5763190392.DOC.zip
inflating: AWB # 5763190392.DOC.exe
$ file AWB\ #\ 5763190392.DOC.exe
AWB # 5763190392.DOC.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
8<----------------------------------------------------------------------
8<----------------------------------------------------------------------
$ file MFT_5763190392.DOCS.zip
MFT_5763190392.DOCS.zip: Zip archive data, at least v2.0 to extract
$ unzip MFT_5763190392.DOCS.zip
Archive: MFT_5763190392.DOCS.zip
inflating: MFT_5763190392.DOCS.exe
$ file MFT_5763190392.DOCS.exe
MFT_5763190392.DOCS.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly,
for MS Windows
8<----------------------------------------------------------------------
The two executables are identical:
8<----------------------------------------------------------------------
-rw-r--r-- 1 ged ged 729600 Sep 6 02:27 'AWB # 5763190392.DOC.exe'
-rw-r--r-- 1 ged ged 729600 Sep 6 02:27 MFT_5763190392.DOCS.exe
$ md5sum AWB\ #\ 5763190392.DOC.exe MFT_5763190392.DOCS.exe
6e15bfd980e87e26ba7f3cf5e488a35d AWB # 5763190392.DOC.exe
6e15bfd980e87e26ba7f3cf5e488a35d MFT_5763190392.DOCS.exe
8<----------------------------------------------------------------------
Curiously enough, ClamAV detected one of the executables as malicious
(as usual by one of the Sanesecurity signatures), while the other was
not detected by ClamAV at all:
8<----------------------------------------------------------------------
$ clamdscan AWB\ #\ 5763190392.DOC.zip
/home/ged/AWB # 5763190392.DOC.zip: Sanesecurity.Foxhole.Zip_fs2087.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 37.597 sec (0 m 37 s)
8<----------------------------------------------------------------------
(Our scanner runs on a Pi4B, remote from the mail server. It isn't quick. :/)
8<----------------------------------------------------------------------
$ clamdscan MFT_5763190392.DOCS.zip
/home/ged/MFT_5763190392.DOCS.zip: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 42.715 sec (0 m 42 s)
8<----------------------------------------------------------------------
On manually submitting the archive files to Jotti, one of the other
virus scanners (f-secure) had a similar issue:
8<----------------------------------------------------------------------
AWB\ #\ 5763190392.DOC.zip
...//alpha.local.jubileegroup.co.uk/perl/jotti.pl?submit=Jotti+Scan&3e8...
8<----------------------------------------------------------------------
Read 1 parts, length=526974
Summary:
Name:
3e8ab82e437e15159f5f2156719570767190c7e99d05086a595b6f7afaa4e0f2-526974.txt
Size: 514.62kB (526,974 bytes)
Type: Zip archive
First seen: September 6, 2022 at 11:33:23 AM GMT+2
MD5: e3d0a3017ebb112ec0da6fa750cc66ca
SHA1: f55c1cd28f213152d80b86a1f2e70f568a7fdd94
Status: Scan finished. 11/15 scanners reported malware.
Scan taken on: September 6, 2022 at 11:33:25 AM GMT+2
Results:
https://www.avast.com Sep 6, 2022 Win32:PWSX-gen
https://www.bitdefender.com Sep 6, 2022 Trojan.GenericKD.61801737
https://www.clamav.net Sep 6, 2022 Found nothing
https://www.cyren.com Sep 6, 2022 W32/MSIL_Troj.CIX.gen!Eldorado
https://www.drweb.com Sep 6, 2022 Found nothing
https://www.escanav.com Sep 6, 2022 Trojan.GenericKD.61801737
https://www.fortinet.com Sep 6, 2022 PossibleThreat
https://www.f-secure.com Sep 6, 2022 Heuristic.HIDDENEXT/Worm.Gen
https://www.gdatasoftware.com Sep 6, 2022
MSIL.Trojan-Stealer.AgentTesla.XHY925
https://www.ikarus.at Sep 6, 2022 Trojan.MSIL.Inject
https://www.k7computing.com/... Sep 6, 2022 Trojan ( 0058f5f91 )
https://www.kaspersky.com Sep 6, 2022 Found nothing
https://www.sophos.com Sep 6, 2022 Mal/DrodZp-A
https://www.trendmicro.com Sep 5, 2022 Found nothing
https://anti-virus.by/en Sep 5, 2022 CIL.HeapOverride.Heur
8<----------------------------------------------------------------------
8<----------------------------------------------------------------------
MFT_5763190392.DOCS.zip
...//alpha.local.jubileegroup.co.uk/perl/jotti.pl?submit=Jotti+Scan&c4a...
8<----------------------------------------------------------------------
Read 1 parts, length=526972
Summary:
Name:
c4aaad95656e3310c25ea6e9108a937e6b637508e35a6566ce41de0fc8d21c33-526972.txt
Size: 514.62kB (526,972 bytes)
Type: Zip archive
First seen: September 6, 2022 at 11:34:26 AM GMT+2
MD5: 019b3d4ca6a68f132d3346bcfe702b9a
SHA1: 30de6997d691192223b562f5e389a97363e98941
Status: Scan finished. 10/15 scanners reported malware.
Scan taken on: September 6, 2022 at 11:34:27 AM GMT+2
Results:
https://www.avast.com Sep 6, 2022 Win32:PWSX-gen
https://www.bitdefender.com Sep 6, 2022 Trojan.GenericKD.61801737
https://www.clamav.net Sep 6, 2022 Found nothing
https://www.cyren.com Sep 6, 2022 W32/MSIL_Troj.CIX.gen!Eldorado
https://www.drweb.com Sep 6, 2022 Found nothing
https://www.escanav.com Sep 6, 2022 Trojan.GenericKD.61801737
https://www.fortinet.com Sep 6, 2022 PossibleThreat
https://www.f-secure.com Sep 6, 2022 Found nothing
https://www.gdatasoftware.com Sep 6, 2022
MSIL.Trojan-Stealer.AgentTesla.XHY925
https://www.ikarus.at Sep 6, 2022 Trojan.MSIL.Inject
https://www.k7computing.com/... Sep 6, 2022 Trojan ( 0058f5f91 )
https://www.kaspersky.com Sep 6, 2022 Found nothing
https://www.sophos.com Sep 6, 2022 Mal/Generic-S
https://www.trendmicro.com Sep 5, 2022 Found nothing
https://anti-virus.by/en Sep 5, 2022 CIL.HeapOverride.Heur
8<----------------------------------------------------------------------
We don't accept mail from unknown Digitalocean IPs, and, in any case,
there was no danger to us from the message as we run no Windows boxes.
Since it triggered no fewer than seven Yara rules here, our automated
system has already submitted it to the ClamAV virus team.
It seems to me that just changing the name of the attached archive
file can hide it from at least some scanners. I'd be very happy to
send the mail or the attachments to anyone who'd like to investigate.
Steve, the automated system didn't report to Sanesecurity because of
the detection of one of the attachments, but if you'd like to see it
separately please let me know.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
